1. 13
    1. 2

      Am I right in thinking that firefox will fill-in and send these headers itself? Is it not possible for the attacker web app to set these header values?

      1. 4

        Yes. Headers prefixed with “Sec-” can’t be set using WebAPIs like fetch or XMLHttpRequest.

        Note that this technique is only to prevent unintended cross-origin attacks using these APIs, forms, frames, img elements. Of course you can set all of these headers when using curl.

        1. 1

          Gotcha. Thanks for the clarification.

    2. -6

      Any news on good vertical tab support, like in Microsoft’s new browser?