You cannot force the XMLHttpRequest.setRequestHeader()
method to add the Expect
header for security reasons, as you can read in the W3C XMLHttpRequest specification:
The setRequestHeader(header, value) method must run these steps:
- If the state is not OPENED, throw an "InvalidStateError" exception and terminate these steps.
- If the send() flag is set, throw an "InvalidStateError" exception and terminate these steps.
- If header does not match the field-name production, throw a "SyntaxError" exception and terminate these steps.
- If value does not match the field-value production, throw a "SyntaxError" exception and terminate these steps (note: The empty string is legal and represents the empty header value).
Terminate these steps if header is a case-insensitive match for one of the following headers:
- Accept-Charset
- Accept-Encoding
- Access-Control-Request-Headers
- Access-Control-Request-Method
- Connection Content-Length
- Cookie
- Cookie2
- Blockquote
- Date
- DNT
- Expect
- Host
- Keep-Alive Origin
- Referer
- TE
- Trailer
- Transfer-Encoding
- Upgrade
- User-Agent
- Via
...or if the start of header is a case-insensitive match for Proxy- or Sec- (including when header is just Proxy- or Sec-).
The above headers are controlled by the user agent to let it control those aspects of transport. This guarantees data integrity to some extent. Header names starting with Sec- are not allowed to be set to allow new headers to be minted that are guaranteed not to come from XMLHttpRequest.
As a further reference:
Some browsers (Chrome, for example) will also display an error in their "JavaScript Console":