Refused to set unsafe header Connection/Content-length

ajax connection content-length
mathiaz picture mathiaz · May 19, 2014 · Viewed 18.5k times · Source

I'm working on a website and I have a problem right here. On the page I'm working, the user puts an ip address and the ports he wants to be searched. This is being made with ajax (user side) and php (server side). Ajax sends the ip and port (one by one) to the php file, and he returns the result of the port. The goal is that user sees what's the port is being tested (in a div element) at the moment, and here is where the problem is. He runs/works well, he tests all the ports the user wants to, but during the test period he shows no port, just shows the final port (after all previous ports have been tested) and the result of the ports (if some port had a result) which appears in a distinct div element. This just works perfectly in Firefox, in other browsers happens what I just explained. The Google Chrome console says: Refused to set unsafe header "Content-length" and Refused to set unsafe header "Connection". I've been searching about this problem for days and I found so many things and I tried them, but none of them solved the problem.

Here is my code.

jquery.js

function HttpRequest(endereco, portainicio)
{      
    var xmlhttp;
    var params = "endereco="+endereco+"&"+"porta="+portainicio;

    if (window.XMLHttpRequest) // IE7+, Firefox, Chrome, Opera, Safari
    {
        xmlhttp = new XMLHttpRequest();
    }

    else // IE6, IE5
    {
        xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    }

    xmlhttp.open("POST", "/firewall/ajax", false);

    //alert(params);

    xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xmlhttp.setRequestHeader("Content-length", params.length);
    xmlhttp.setRequestHeader("Connection", "close");

    xmlhttp.send(params);
    return xmlhttp.responseText;
}

function ajaxfirewall()
{
    (...)

    var resposta;

    $("p.ip").append("<span class='end'> "+endereco+"</span>");       

    for (portainicio; portainicio <= portafinal; portainicio++)
    {   
        resposta = HttpRequest(endereco, portainicio);              
        $("p.porta").append(" <span class='tporta'>"+ resposta+"</span><br>");
    }

    return false;
}

Another thing it's really strange. Do you see those alert(params); which are commented in the HttpRequest function? If I leave it uncommented it displays the port which is being tested, but it shows the alert and I don't want that.

Answer

Patru picture Patru · May 19, 2014

Without the HTML your jquery.js is supposed to work on this involves some guesswork (maybe you could post the relevant excerpt (Hint, hint)). I would consider it possible that $("p.porta") cannot be found or that the appended HTML reacts in an unexpected way. You should try to just print your results to console using e.g. console.log (that is you are using Firebug or some such) in order to see what you get at what time. Maybe you will find something on the client side too.

Update Judging from this question and its accepted answer the Chrome behavior is actually what you should expect. The standard for XMLHttpRequests prescribes that these two headers should not be set by the client in order to avoid request smuggling attacks. You just should not set them (even if your PHP source tells you to).

Related questions

Disable same origin policy in Chrome

Is there any way to disable the Same-origin policy on Google's Chrome browser?

Read More
jQuery AJAX submit form

I have a form with name orderproductForm and an undefined number of inputs. I want to do some kind of jQuery.get or ajax or anything like that that would call a page through Ajax, and send along all the …

Read More
How do I return the response from an asynchronous call?

I have a function foo which makes an asynchronous request. How can I return the response/result from foo? I tried returning the value from the callback, as well as assigning the result to a local variable inside the function …

Read More