Skip to content

Update forbidden request headers in glossary #41830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hamishwillee merged 2 commits into from
Nov 13, 2025
Merged

Update forbidden request headers in glossary #41830

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0017e7e
Update forbidden request headers in glossary
verhovsky Nov 6, 2025
be92af5
Replace Cookie2 with formatted code syntax
verhovsky Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Update forbidden request headers in glossary 
Added 'Cookie2' and 'Set-Cookie', removed 'Permissions-Policy' and added a note about 'Access-Control-Request-Private-Network' for Chrome.
  • Loading branch information
@verhovsky
verhovsky authored Nov 6, 2025
commit 0017e7e007bf2af3336091e9f1c3e05e9e4bb39a
6 changes: 5 additions & 1 deletion files/en-us/glossary/forbidden_request_header/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,17 @@ Forbidden headers are one of the following:
- {{HTTPHeader("Connection")}}
- {{HTTPHeader("Content-Length")}}
- {{HTTPHeader("Cookie")}}
- {{HTTPHeader("Cookie2")}}
- {{HTTPHeader("Date")}}
- {{HTTPHeader("DNT")}}
- {{HTTPHeader("Expect")}}
- {{HTTPHeader("Host")}}
- {{HTTPHeader("Keep-Alive")}}
- {{HTTPHeader("Origin")}}
- {{HTTPHeader("Permissions-Policy")}}
- `Proxy-` headers
- `Sec-` headers
- {{HTTPHeader("Referer")}}
- {{HTTPHeader("Set-Cookie")}}
- {{HTTPHeader("TE")}}
- {{HTTPHeader("Trailer")}}
- {{HTTPHeader("Transfer-Encoding")}}
Expand All @@ -53,6 +54,9 @@ Forbidden headers are one of the following:
> [!NOTE]
> While the {{HTTPHeader("Referer")}} header is listed as a forbidden header [in the spec](https://fetch.spec.whatwg.org/#forbidden-request-header), the user agent does not retain full control over it and the header can be programmatically modified. For example, when using [`fetch()`](/en-US/docs/Web/API/Window/fetch), the {{HTTPHeader("Referer")}} header can be programmatically modified via the [`referrer` option](/en-US/docs/Web/API/RequestInit#referrer).

> [!NOTE]
> Chrome also forbids `Access-Control-Request-Private-Network`
Comment on lines +57 to +58
Copy link
Collaborator

@hamishwillee hamishwillee Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW We should document this header and add it to BCD mdn/browser-compat-data#25467.

Because we have not done so I think this is good (because there is no way for anyone to work out the support story on this) but when BCD/docs exist this would just be in the main list.


## See also

- Related glossary terms:
Expand Down