Spoofing referer header xmlhttprequest

[C0nw0nk]

So when trying to spoof the referer header i get this error in my console.

Attempt to set a forbidden header was denied: Referer

var referer = 'cake';
req.setRequestHeader('Referer', referer);

Curious if it is possible to even fake these headers.

I see I can fake and spoof the User-Agent header.

[C0nw0nk]

Full code.

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="referrer" content="no-referrer" />
<style>
html,body,video {
    margin: auto;
    width: auto;
    padding: 10px;
	text-align:center;
}
</style>
</head>
<body>
<video controls="controls" src="" autoplay="autoplay" preload="auto"></video>
<script>
var cors_origin_fix = 'https://cors-anywhere.herokuapp.com/';
var assetURL = cors_origin_fix+'http://nickdesaulniers.github.io/netfix/demo/frag_bunny.mp4';
//so large may take while to buffer.
//'http://commondatastorage.googleapis.com/gtv-videos-bucket/sample/BigBuckBunny.mp4';

var referer = 'cake';
</script>

<script>
var video = document.querySelector('video');

var req = new XMLHttpRequest();
req.open('GET', assetURL, true);
req.responseType = 'blob';
req.setRequestHeader('Referer', referer);
//req.setHeaders('Referer', referer);

req.onload = function() {
   // Onload is triggered even on 404
   // so we need to check the status code
   if (this.status === 200) {
      var videoBlob = this.response;
      var vid = URL.createObjectURL(videoBlob); // IE10+
      // Video is now downloaded
      // and we can set it as source on the video element
      video.src = vid;
   }
}
req.onerror = function() {
   // Error
}

req.send();
</script>
</body>
</html>

[Rob--W]

Some request headers are forbidden and cannot be changed from a browser: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

[C0nw0nk]

A shame the scripts would be awesome if that could be overcome.