Dont set the Content-length by default, possibly a security risk - Githubissues

jimhigson / oboe.js

A streaming approach to JSON. Oboe.js speeds up web applications by providing parsed objects before the response completes.

http://jimhigson.github.io/oboe.js-website/index.html

Other

4.79k stars 208 forks source link

Dont set the Content-length by default, possibly a security risk #181

Open zer09 opened 5 years ago

zer09 commented 5 years ago

This is header is set by the browser automatically https://stackoverflow.com/questions/7210507/ajax-post-error-refused-to-set-unsafe-header-connection/7210840

If manually set it possibly will cause a security risk https://stackoverflow.com/questions/2623963/webkit-refused-to-set-unsafe-header-content-length https://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415/#case-insensitive-match

Unless it is for compatibility for HTTP/1.0 https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4