header restrictions with XHR

does XMLHTTPR开发者_StackOverflowequest allow one to set "any" headers? Because it seems to be limiting me from setting the host header.

No, as it will cause security issues. Please refer to W3C XMLHttpRequest Level 2 spec, the setRequestHeader() method should terminate if header is a case-insensitive match for one of the following headers:

• Accept-Charset
• Accept-Encoding
• Access-Control-Request-Headers
• Access-Control-Request-Method
• Connection
• Content-Length
• Cookie
• Cookie2
• Content-Transfer-Encoding
• Date
• Expect
• Host
• Keep-Alive
• Origin
• Referer
• TE
• Trailer
• Transfer-Encoding
• Upgrade
• User-Agent
• Via

Update: Konstantinos Filios is right that latest list can be found in WHATWG XMLHttprequest spec.