Scripts should not be able to set the DNT (Do Not Track) header of a HTTP request using XMLHttpRequest (except if priviledged).
Created attachment 223717 [details] Patch
Why?
The DNT header should be set by web engines according user preferences. That includes all HTTP requests, including XHR requests. Unpriviledged web apps should not be allowed to override/interfere with user preferences. A simple way to handle that is to disallow XHR to set the DNT header, as specified in http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader()-method. Mozilla seems to implement that behavior. Blink seems to allow setting the DNT header. I do not know what others do. The bug title is a bit misleading, I will change it (s/send/set/).
Comment on attachment 223717 [details] Patch The short answer is that the XHR spec currently says so. "Terminate these steps if header is a case-insensitive match for one of the following headers: <...>"
Comment on attachment 223717 [details] Patch Clearing flags on attachment: 223717 Committed r163915: <http://trac.webkit.org/changeset/163915>
All reviewed patches have been landed. Closing bug.