XHR is a rather high level API that works well in most cases but lacks some flexibility. You might want to look at the fetch API which gives more flexibility to the web developper. For instance, with the fetch API, there is an option to control the referrer. To be noted though that some headers cannot be let under the control of the web application for security purposes. I don't think that there is a way to remove all headers you want with the fetch API. That said, HTTP/2 uses HPACK for header representation and for the headers you are mentioning (except referer), it will be very good at representing them in a few bytes. So my suggestion would be to migrate to HTTP/2 and start using the fetch API wherever available.

What are those security purposes? I'm connecting to my own server.

Ok, so how can I submit a pull request? I just need this edit in class XMLHttpRequest.cpp and method XMLHttpRequest::setRequestHeader: if(m_sameOriginRequest && value == null) m_requestHeaders.remove(name) before this comment: // A privileged script (e.g. a Dashboard widget) can set any headers.

Maybe this is better: if(m_sameOriginRequest && value.length() == 0) { m_requestHeaders.remove(name) return; } Just google "remove header XHR" to see why those 4 lines would be a great addition to webkit.

What you propose may just remove headers that the web app previously set. It will not remove the headers that lower layers of WebKit will set. Before uploading a patch here, it might be better to file an issue at whatwg xhr github.

Ok, can you point me to the code that would remove headers? I have started a discussion over at github too: https://github.com/whatwg/xhr/issues/83

So whatwg could not help with XHR. I filed a issue for fetch. But I really think this is needed so much it would make sense to add it to XHR too. What are the details of getting these headers removed? Can you point me to some places in the source?

The simplest approach might be to grep the code for - addHTTPHeaderField - HTTPHeaderName:: You will find places like CachedResource (for referrer and origin), DocumentThreadableLoader, CachedResourceLoader, ResourceLoader. Other headers might be specified in WebKit platform a specific code (see soup, cf code). Non-WebKit code my also update headers: HTTP libraries, browser a specific code. If you are building your app with a browser, one solution may be a local proxy between your client and server. If you are using a WebView, there may be callbacks that may allow you to inspect and modify requests before sending them.

Or using WebSocket...

We generally don't want to add new functionality to XMLHttpRequest.