From c32c0f85ef5c14f87eba2a81903e7bd67a50e95b Mon Sep 17 00:00:00 2001 From: Cristopher <32661241+Namchee@users.noreply.github.com> Date: Fri, 17 Nov 2023 22:51:52 +0700 Subject: [PATCH] feat: add footnote regarding Referer mutability (#30200) * feat: add callout regarding referer header * docs: add more context to referrer mutability * docs: commit suggestion * Update files/en-us/glossary/forbidden_header_name/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- files/en-us/glossary/forbidden_header_name/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/files/en-us/glossary/forbidden_header_name/index.md b/files/en-us/glossary/forbidden_header_name/index.md index 2f2d197a860a0ac..284bdedc4db527a 100644 --- a/files/en-us/glossary/forbidden_header_name/index.md +++ b/files/en-us/glossary/forbidden_header_name/index.md @@ -37,6 +37,8 @@ Forbidden header names start with `Proxy-` or `Sec-`, or are one of the followin > **Note:** The {{HTTPHeader("User-Agent")}} header is no longer forbidden, [as per spec](https://fetch.spec.whatwg.org/#terminology-headers) — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch [Headers](/en-US/docs/Web/API/Headers) object, or with the [setRequestHeader()](/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader) method of `XMLHttpRequest`. However, Chrome will silently drop the header from Fetch requests (see [Chromium bug 571722](https://crbug.com/571722)). +> **Note:** While the {{HTTPHeader("Referer")}} header is listed as a forbidden header [in the spec](https://fetch.spec.whatwg.org/#forbidden-request-header), the user agent does not retain full control over it and the header can be programmatically modified. For example, when using [`fetch()`](/en-US/docs/Web/API/fetch), the {{HTTPHeader("Referer")}} header can be programmatically modified via the [`referrer` option](/en-US/docs/Web/API/fetch#referrer). + ## See also {{Glossary("Forbidden response header name")}} (Glossary)