Re: [whatwg/fetch] Add `Set-Cookie` as a forbidden header name (PR #1453) from Jim Manico on 2023-03-24 (public-webapps-github@w3.org from March 2023)

From: Jim Manico <notifications@github.com>
Date: Fri, 24 Mar 2023 08:43:25 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1453/c1483016983@github.com>

I struggle to see why Set-Cookie (a response header) is now a forbidden Request header.

Is this just to make sure developers do not use Set-Cookie in a request (demonstrating a misunderstanding of cookies)? HTTPOnly currently stops reading cookies from response headers and Set-Cookie never appears in requests since Set-Cookie is a response header.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1453#issuecomment-1483016983
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1453/c1483016983@github.com>

Received on Friday, 24 March 2023 15:43:37 UTC