您从 Chrome 中收到该错误，因为根据 XHR 规范，setRequestHeader 方法不应设置带有 禁止的标题名称.

根据规范:

这些是被禁止的，因此用户代理仍然可以完全控制它们.

相反，对于 Angular 1.x，设置 cookie 使用$cookies，它会包含在后续的 xhr 请求中.

I'm using Angularjs. When I set Cookie header with xhr.setRequestHeader() I get the following error on Chrome:

Refused to set unsafe header "Cookie"

However, the Cookie is included into the request and successfully sent to server. I seem to have configured everything correctly to allow Cookie header on server and client:

for server I have these:

Header add Access-Control-Allow-Credentials "true"

for client I specify these:

withCredentials

Why is this error?

You get that error from Chrome because, per the XHR specification, the setRequestHeader method should not set headers with a forbidden header name.

Per the specification:

These are forbidden so the user agent remains in full control over them.

Instead, for Angular 1.x, set the cookie by using $cookies, and it will be included in subsequent xhr requests.