javascript - Refused to set unsafe header "Cookie" error in browser yet request is successful

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I'm using Angularjs. When I set Cookie header with xhr.setRequestHeader() I get the following error on Chrome:

Refused to set unsafe header "Cookie"
However, the Cookie is included into the request and successfully sent to server. I seem to have configured everything correctly to allow Cookie header on server and client:
for server I have these:
Header add Access-Control-Allow-Credentials "true"
for client I specify these:
withCredentials
Why is this error?
                I know that Chrome won't allow you to set content-length for example. It does that for you. So I guess it's maybe the same with the cookie header.
– Mouser
                Jan 31, 2015 at 20:00
                @Mouser, I guess that's exactly it! After I've removed setRequestHeader() from my code the Cookie header is still passed to the server. Thanks! Best luck!
– Max Koretskyi
                Jan 31, 2015 at 20:11
You get that error from Chrome because, per the XHR specification, the setRequestHeader method should not set headers with a forbidden header name.
Per the specification:
    These are forbidden so the user agent remains in full control over them.
Instead, for Angular 1.x, set the cookie by using $cookies, and it will be included in subsequent xhr requests.
  header('Content-Type: text/html; charset=UTF-8');
  header('Access-Control-Allow-Origin: *');
  header('Access-Control-Allow-Headers: *');
  header('Access-Control-Expose-Headers: *');
  header('Access-Control-Allow-Credentials: true');
?><!doctype html>
<html lang="en-US">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
  </head>
    <script defer="defer" src="https://code.jquery.com/jquery-git.js"></script>
  </body>
</html>
_{taken From Liberated HTML5, and W3C's Cross-Origin Resource Sharing.}
if you have the cookies sent over, i think that would be good enough. Having "        crossDomain: true,
        withCredentials: true
" solved the issue of "Refused to set unsafe header “Cookie”" i encountered as well. Even though the alert message still there, however, i have the cookie sent over and have correct response back.
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.