{
  "context": "Evaluates whether the solution uses the xmlhttprequest package to temporarily bypass the default header blacklist, send forbidden headers when explicitly allowed, and restore protections afterward while returning the requested response details.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "XMLHttpRequest usage",
      "description": "Requests are performed with the package's XMLHttpRequest constructor (not fetch/http), using its status/response fields to drive results.",
      "max_score": 15
    },
    {
      "name": "Disable header check",
      "description": "Calls setDisableHeaderCheck(true) or equivalent before attempting any forbidden header so the package allows setting headers like Referer or manual Content-Length.",
      "max_score": 30
    },
    {
      "name": "Set forbidden header",
      "description": "Uses setRequestHeader to apply the provided forbidden header value and manual Content-Length when override is permitted, sourcing values from inputs.",
      "max_score": 25
    },
    {
      "name": "Restore guard",
      "description": "Restores default header blocking after the override request (e.g., setDisableHeaderCheck(false) or per-request instances) so later calls run with protection enabled.",
      "max_score": 15
    },
    {
      "name": "Blocked without override",
      "description": "When override is disabled, the code relies on the package's built-in blacklist by not disabling checks, causing setRequestHeader to reject/omit forbidden headers and surfacing a clear error path.",
      "max_score": 15
    }
  ]
}