Reviewed by Darin.
[WebKit-https.git] / WebCore / xml / XMLHttpRequest.cpp
index cd2033aea4b6fc40298ca8846ccccd45e260d5e3..fb298846f3f3fc584fab9eb69048b5ce0f708a70 100644 (file)
@@ -81,6 +81,10 @@ static void removeFromRequestsByDocument(Document* doc, XMLHttpRequest* req)
 
 static bool canSetRequestHeader(const String& name)
 {
+    // A privileged script (e.g. a Dashboard widget) can set any headers.
+    if (m_doc->isAllowedToLoadLocalResources())
+        return true;
+
     static HashSet<String, CaseFoldingHash> forbiddenHeaders;
     static String proxyString("proxy-");