The Chrome WebRequests API mentions that specific request headers are not available to the
onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:
The following headers are currently not provided to the
onBeforeSendHeadersevent. This list is not guaranteed to be complete nor stable.
Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?
Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as
Content-Length are a complete enigma to me.
Furthermore, it’s unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.