1. 13
  1.  

  2. 2

    Am I right in thinking that firefox will fill-in and send these headers itself? Is it not possible for the attacker web app to set these header values?

    1. 4

      Yes. Headers prefixed with “Sec-” can’t be set using WebAPIs like fetch or XMLHttpRequest.

      Note that this technique is only to prevent unintended cross-origin attacks using these APIs, forms, frames, img elements. Of course you can set all of these headers when using curl.

      1. 1

        Gotcha. Thanks for the clarification.

    2. -6

      Any news on good vertical tab support, like in Microsoft’s new browser?