禁止修改的消息首部 - 术语表 | MDN https://developer.mozilla.org/zh-CN/docs/Glossary/Forbidden_header_name
禁止修改的消息首部指的是不能在代码中通过编程的方式进行修改的HTTP协议消息首部。本文仅讨论相关的HTTP请求首部(关于禁止修改的响应首部,请参考 Forbidden response header name (en-US))。
用户代理对这些消息首部保留全部控制权,应用程序无法设置它们。 Names starting with `Sec-` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest.
禁止修改的消息首部包括以 Proxy- 和 Sec- 开头的消息首部,以及下面列出的消息首部:
Accept-CharsetAccept-EncodingAccess-Control-Request-HeadersAccess-Control-Request-MethodConnectionContent-LengthCookieCookie2DateDNTExpectHostKeep-AliveOriginProxy-Sec-RefererTETrailerTransfer-EncodingUpgradeVia
注意: 根据最新的规范,User-Agent 首部已经从列表中移除。更多内容请参考规范的 forbidden header name list 一节(Firefox 43 实现了对这一更改的支持)。因此,该首部已经可以用于诸如 Fetch 的 Headers 对象,XHR 的 setRequestHeader()? 中。
Forbidden header name
A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).
Modifying such headers is forbidden because the user agent retains full control over them. Names starting with `Sec-` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest.
Forbidden header names start with Proxy- or Sec-, or are one of the following names:
Accept-CharsetAccept-EncodingAccess-Control-Request-HeadersAccess-Control-Request-MethodConnectionContent-LengthCookieCookie2DateDNTExpectFeature-PolicyHostKeep-AliveOriginProxy-Sec-RefererTETrailerTransfer-EncodingUpgradeVia
Note
The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).