feat: add footnote regarding Referer mutability (mdn#30200)

* feat: add callout regarding referer header * docs: add more context to referrer mutability * docs: commit suggestion * Update files/en-us/glossary/forbidden_header_name/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
wbamberg · Nov 17, 2023 · c32c0f8 · c32c0f8
1 parent 8e7726d
commit c32c0f8
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/files/en-us/glossary/forbidden_header_name/index.md b/files/en-us/glossary/forbidden_header_name/index.md
@@ -37,6 +37,8 @@ Forbidden header names start with `Proxy-` or `Sec-`, or are one of the followin
 
 > **Note:** The {{HTTPHeader("User-Agent")}} header is no longer forbidden, [as per spec](https://fetch.spec.whatwg.org/#terminology-headers) — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch [Headers](/en-US/docs/Web/API/Headers) object, or with the [setRequestHeader()](/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader) method of `XMLHttpRequest`. However, Chrome will silently drop the header from Fetch requests (see [Chromium bug 571722](https://crbug.com/571722)).
 
+> **Note:** While the {{HTTPHeader("Referer")}} header is listed as a forbidden header [in the spec](https://fetch.spec.whatwg.org/#forbidden-request-header), the user agent does not retain full control over it and the header can be programmatically modified. For example, when using [`fetch()`](/en-US/docs/Web/API/fetch), the {{HTTPHeader("Referer")}} header can be programmatically modified via the [`referrer` option](/en-US/docs/Web/API/fetch#referrer).
+
 ## See also
 
 {{Glossary("Forbidden response header name")}} (Glossary)