forbidden-header-name
forbidden-header-name
A forbidden header name is a header name that is a byte-case-insensitive match for one of
Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Cookie2
Date
DNT
Expect
Host
Keep-Alive
Origin
Referer
TE
Trailer
Transfer-Encoding
Upgrade
Via
or a header name that starts with a byte-case-insensitive match for Proxy- or Sec- (including being a byte-case-insensitive match for just Proxy- or Sec-).
These are forbidden so the user agent remains in full control over them. Names starting with Sec- are reserved to allow new headers to be minted that are safe from APIs using fetch that allow control over headers by developers, such as XMLHttpRequest.
これらはユーザーから見えないから、ユーザーエージェントはセキュリティを気にせず自由に設定できるよ、という意味か。