The Chrome WebRequests API mentions that specific request headers are not available to the onBeforeSendHeaders
event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:
The following headers are currently not provided to the
onBeforeSendHeaders
event. This list is not guaranteed to be complete nor stable.
- Authorization
- Cache-Control
- Connection
- Content-Length
- Host
- If-Modified-Since
- If-None-Match
- If-Range
- Partial-Data
- Pragma
- Proxy-Authorization
- Proxy-Connection
- Transfer-Encoding
Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?
Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as Host
, Connection
or Content-Length
are a complete enigma to me.
Furthermore, it's unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.