Why does Chrome not allow the modification of these headers by extensions?


The Chrome WebRequests API mentions that specific request headers are not available to the onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:

The following headers are currently not provided to the onBeforeSendHeaders event. This list is not guaranteed to be complete nor stable.

  • Authorization
  • Cache-Control
  • Connection
  • Content-Length
  • Host
  • If-Modified-Since
  • If-None-Match
  • If-Range
  • Partial-Data
  • Pragma
  • Proxy-Authorization
  • Proxy-Connection
  • Transfer-Encoding

Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?


Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as Host, Connection or Content-Length are a complete enigma to me.

Furthermore, it’s unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.