Update forbidden request headers in glossary (#41830)

verhovsky · web-flow · commit 1ee2cfe932b6 · 2025-11-14T10:43:57.000+11:00
* Update forbidden request headers in glossary

Added 'Cookie2' and 'Set-Cookie', removed 'Permissions-Policy' and added a note about 'Access-Control-Request-Private-Network' for Chrome.

* Replace Cookie2 with formatted code syntax
diff --git a/files/en-us/glossary/forbidden_request_header/index.md b/files/en-us/glossary/forbidden_request_header/index.md
@@ -28,16 +28,17 @@ Forbidden headers are one of the following:
 - {{HTTPHeader("Connection")}}
 - {{HTTPHeader("Content-Length")}}
 - {{HTTPHeader("Cookie")}}
+- `Cookie2`
 - {{HTTPHeader("Date")}}
 - {{HTTPHeader("DNT")}}
 - {{HTTPHeader("Expect")}}
 - {{HTTPHeader("Host")}}
 - {{HTTPHeader("Keep-Alive")}}
 - {{HTTPHeader("Origin")}}
-- {{HTTPHeader("Permissions-Policy")}}
 - `Proxy-` headers
 - `Sec-` headers
 - {{HTTPHeader("Referer")}}
+- {{HTTPHeader("Set-Cookie")}}
 - {{HTTPHeader("TE")}}
 - {{HTTPHeader("Trailer")}}
 - {{HTTPHeader("Transfer-Encoding")}}
@@ -53,6 +54,9 @@ Forbidden headers are one of the following:
 > [!NOTE]
 > While the {{HTTPHeader("Referer")}} header is listed as a forbidden header [in the spec](https://fetch.spec.whatwg.org/#forbidden-request-header), the user agent does not retain full control over it and the header can be programmatically modified. For example, when using [`fetch()`](/en-US/docs/Web/API/Window/fetch), the {{HTTPHeader("Referer")}} header can be programmatically modified via the [`referrer` option](/en-US/docs/Web/API/RequestInit#referrer).
 
+> [!NOTE]
+> Chrome also forbids `Access-Control-Request-Private-Network`
+
 ## See also
 
 - Related glossary terms:
