This particular attack might not seem interesting at first because nothing browsable on the public internet without cookies or other credentials will be sensitive, and Dhall doesn't maintain a cookie jar of credentials for the user. I don't think I've got a working exploit here, but I think this example at least demonstrates the point that certain request headers are sensitive and changing them can violate security assumptions.
The CORS spec has a list of forbidden header names which clients are not allowed to set for this reason. We could try to implement this forbidden header list.
Perhaps controversially, I'd be inclined to explore removing
@philandstuff: I believe the main use case for the
One way we could do this is that instead of blacklisting headers, we can whitelist only authorization-related headers (i.e.