I'm confused while reading the document about Forbidden header name.MDN
These are forbidden, so the user agent retains full control over them
My question is "Forbidden header name" is forbidden to do what?
Forbidden header name. A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).
Modifying such headers is forbidden because the user agent retains full control over them. Names starting with ` Sec- ` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest.
The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader () . However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722 ).
Alternative header names are: X-CSRFToken and X-XSRF-TOKEN Correlates HTTP requests between a client and server. The Save-Data client hint request header available in Chrome, Opera, and Yandex browsers lets developers deliver lighter, faster applications to users who opt-in to data saving mode in their browser.
They are forbidden to be set or changed by javascript code, running in a browser sandbox.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With