{
  "context": "Evaluates whether the solution uses the xmlhttprequest package to enforce spec-compliant request and response header handling, including respecting the default forbidden list and case-insensitive retrieval. Checks focus on correct API calls and toggleable override behavior tied to the spec tasks.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "XHR setup",
      "description": "Creates an xmlhttprequest `XMLHttpRequest` instance, calls `open` with the requested method/url in async mode, and waits for `readyState === XMLHttpRequest.DONE` before resolving using onreadystatechange or load events.",
      "max_score": 15
    },
    {
      "name": "Allowed headers",
      "description": "Applies provided custom headers with `setRequestHeader` before `send`, ensuring allowed headers (e.g., X-Trace-Id) are attached via the package API rather than manual socket options.",
      "max_score": 20
    },
    {
      "name": "Default blocking",
      "description": "When overrides are not requested, relies on the package's default header blacklist by avoiding `XMLHttpRequest.setDisableHeaderCheck(true)` (or similar) so forbidden headers like `Content-Length` are not set.",
      "max_score": 20
    },
    {
      "name": "Override toggle",
      "description": "When overrides are enabled, explicitly calls `XMLHttpRequest.setDisableHeaderCheck(true)` (or the instance equivalent) before setting otherwise forbidden headers, and resets the flag after use to avoid leaking the override.",
      "max_score": 20
    },
    {
      "name": "Response headers",
      "description": "Reads response headers through `getResponseHeader` and/or `getAllResponseHeaders` after DONE to build a case-insensitive map, exposing custom headers like X-Reply-Token while omitting cookie headers filtered by the package.",
      "max_score": 25
    }
  ]
}