Skip to content

Update forbidden request headers in glossary #41830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 13, 2025
Merged

Update forbidden request headers in glossary #41830

merged 2 commits into from
Nov 13, 2025
+5 −1

Conversation

@verhovsky
Copy link
Contributor

@verhovsky verhovsky commented Nov 6, 2025
edited
Loading

Description

The spec says Cookie2 and Set-Cookie are forbidden. Looking at the Chrome source code it also checks for Access-Control-Request-Private-Network, which is added to the list in this draft spec.

You can try it out by opening https://example.com/ and doing

await fetch('https://example.com', {
  headers: {
    'access-control-request-private-network': 'aaaaaaaaaaaaaa',
    'cookie2': 'bbbbbbbbbbbbbb',
    'set-cookie': 'ccccccccccccc',
    'Permissions-Policy': 'this one actually gets sent',
  }
});

and looking in the Network tab.

Additional details

Chrome source code: https://source.chromium.org/chromium/chromium/src/+/main:net/http/http_util.cc;l=324-348;drc=c8dc70b538f1bb0862f1be58237d6e945ee81819

Spec: https://fetch.spec.whatwg.org/#forbidden-request-header

@verhovsky
Update forbidden request headers in glossary
0017e7e 
Added 'Cookie2' and 'Set-Cookie', removed 'Permissions-Policy' and added a note about 'Access-Control-Request-Private-Network' for Chrome.
@verhovsky verhovsky requested a review from a team as a code owner November 6, 2025 21:23
@verhovsky verhovsky requested review from hamishwillee and removed request for a team November 6, 2025 21:23
@github-actions github-actions bot added Content:Glossary Glossary entries size/s [PR only] 6-50 LoC changed labels Nov 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025
edited
Loading

Preview URLs

Flaws (1)

URL: /en-US/docs/Glossary/Forbidden_request_header
Title: Forbidden request header
Flaw count: 1

  • macros:
    • Can't resolve /en-US/docs/Web/HTTP/Reference/Methods/TRACK

(comment last updated: 2025-11-07 16:17:38)

@verhovsky verhovsky mentioned this pull request Nov 7, 2025
Merged
hamishwillee
hamishwillee reviewed Nov 13, 2025
View reviewed changes
files/en-us/glossary/forbidden_request_header/index.md
- {{HTTPHeader("Connection")}}
- {{HTTPHeader("Content-Length")}}
- {{HTTPHeader("Cookie")}}
- `Cookie2`
Copy link
Collaborator

@hamishwillee hamishwillee Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What browser is this implemented in? MDN doesn't document things that have no implementation.

Copy link
Contributor Author

@verhovsky verhovsky Nov 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All 3 of them. I linked the Chrome source code and I also ran the snippet I posted above that sends the 4 mentioned headers on macOS:

Chrome
Screenshot 2025-11-13 at 17 35 18

Safari
Screenshot 2025-11-13 at 17 35 27

Firefox
Screenshot 2025-11-13 at 17 35 34

Copy link
Collaborator

@hamishwillee hamishwillee Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Copy link
Member

@bsmth bsmth Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, some context on removal:

Copy link
Collaborator

@hamishwillee hamishwillee Nov 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for that clarification @bsmth - I should have searched the history.

I have reverted this in #41964 because Cookie2 is not part of the web platform. I suspect this will come up again until the spec gets updated to remove the mention of this header.

hamishwillee
hamishwillee reviewed Nov 13, 2025
View reviewed changes
files/en-us/glossary/forbidden_request_header/index.md
Comment on lines +57 to +58
> [!NOTE]
> Chrome also forbids `Access-Control-Request-Private-Network`
Copy link
Collaborator

@hamishwillee hamishwillee Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW We should document this header and add it to BCD mdn/browser-compat-data#25467.

Because we have not done so I think this is good (because there is no way for anyone to work out the support story on this) but when BCD/docs exist this would just be in the main list.

@hamishwillee hamishwillee merged commit 1ee2cfe into mdn:main Nov 13, 2025
8 checks passed
@hamishwillee hamishwillee mentioned this pull request Nov 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hamishwillee hamishwillee hamishwillee approved these changes

@bsmth bsmth bsmth left review comments

Assignees

No one assigned

Labels

Content:Glossary Glossary entries size/s [PR only] 6-50 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@verhovsky @hamishwillee @bsmth