Issue 177 Unsafe Header No-Op Implementation Plan

For Claude: REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.

Goal: Make FakeXMLHttpRequest#setRequestHeader ignore forbidden request headers instead of throwing, matching the XHR spec discussed in issue #177.

Architecture: Keep the existing request state validation and header normalization flow, but change the forbidden-header branch to return early without mutating requestHeaders. Update the XHR tests to assert that forbidden headers are ignored by default while preserving the existing opt-out path when unsafeHeadersEnabled is false.

Tech Stack: Node.js, Mocha, Referee, nise fake XHR implementation

---

Task 1: Lock in the desired behavior with tests

Files: - Modify: lib/fake-xhr/index.test.js - Test: lib/fake-xhr/index.test.js

Step 1: Write the failing test

Add assertions that forbidden headers do not throw and do not populate requestHeaders when unsafe header checks are enabled.

Step 2: Run test to verify it fails

Run: npm test -- --grep "ignores unsafe headers by default" Expected: FAIL because the current implementation throws.

Task 2: Implement the minimal behavior change

Files: - Modify: lib/fake-xhr/index.js - Test: lib/fake-xhr/index.test.js

Step 1: Write minimal implementation

Change the forbidden-header branch in setRequestHeader from throwing an error to returning early.

Step 2: Run targeted tests to verify it passes

Run: npm test -- --grep "unsafe headers" Expected: PASS for the updated default behavior and the existing override behavior.

Task 3: Verify no regression in adjacent header behavior

Files: - Test: lib/fake-xhr/index.test.js

Step 1: Run related header tests

Run: npm test -- --grep ".setRequestHeader" Expected: PASS