Am I right in thinking that firefox will fill-in and send these headers itself? Is it not possible for the attacker web app to set these header values?
Yes. Headers prefixed with “Sec-” can’t be set using WebAPIs like fetch or XMLHttpRequest.
Note that this technique is only to prevent unintended cross-origin attacks using these APIs, forms, frames, img elements. Of course you can set all of these headers when using curl.
Gotcha. Thanks for the clarification.
Any news on good vertical tab support, like in Microsoft’s new browser?