Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Forbidden header name

Tags:

http

header

I'm confused while reading the document about Forbidden header name.MDN

These are forbidden, so the user agent retains full control over them

My question is "Forbidden header name" is forbidden to do what?

like image 208
lyz1052 Avatar asked Jun 08 '17 03:06

lyz1052


People also ask

What is forbidden header name in http?

Forbidden header name. A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Why is it not allowed to modify HTTP request headers?

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with ` Sec- ` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest.

Is the user-agent header still forbidden in chrome?

The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader () . However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722 ).

What is X-csrftoken header name?

Alternative header names are: X-CSRFToken and X-XSRF-TOKEN Correlates HTTP requests between a client and server. The Save-Data client hint request header available in Chrome, Opera, and Yandex browsers lets developers deliver lighter, faster applications to users who opt-in to data saving mode in their browser.


1 Answers

They are forbidden to be set or changed by javascript code, running in a browser sandbox.

like image 181
Evert Avatar answered Sep 21 '22 21:09

Evert