WebKit "Refused to set unsafe header 'content-length'"
it is also ignoring my setRequestHeader calls and generating its own
Yes, the standard says it must:
For security reasons, these steps should be terminated if header is [...]
- Connection
- Content-Length
Messing around with those could expose various request smuggling attacks, so the browser always uses its own values. There's no need or reason to try to set the request length, as the browser can do that accurately from the length of data you pass to send()
.