Add Set-Cookie as a forbidden header name

lucacasonato · annevk · web-flow · commit 50d77e6c2bde · 2022-06-28T15:12:38.000+02:00
Tests: web-platform-tests/wpt#34424. Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
diff --git a/fetch.bs b/fetch.bs
@@ -1015,6 +1015,7 @@ is a <a>byte-case-insensitive</a> match for one of
  <li>`<code>Keep-Alive</code>`
  <li>`<a http-header><code>Origin</code></a>`
  <li>`<code>Referer</code>`
+ <li>`<code>Set-Cookie</code>`
  <li>`<code>TE</code>`
  <li>`<code>Trailer</code>`
  <li>`<code>Transfer-Encoding</code>`
@@ -1025,10 +1026,18 @@ is a <a>byte-case-insensitive</a> match for one of
 <p>or a <a for=/>header name</a> that when <a>byte-lowercased</a>
 <a for="byte sequence">starts with</a> `<code>proxy-</code>` or `<code>sec-</code>`.
 
-<p class=note>These are forbidden so the user agent remains in full control over them.
-<a for=/>Header names</a> starting with `<code>Sec-</code>` are reserved to allow new
-<a for=/>headers</a> to be minted that are safe from APIs using <a for=/>fetch</a> that allow
-control over <a for=/>headers</a> by developers, such as {{XMLHttpRequest}}. [[XHR]]
+<div class=note>
+ <p>These are forbidden so the user agent remains in full control over them.
+
+ <p><a for=/>Header names</a> starting with `<code>Sec-</code>` are reserved to allow new
+ <a for=/>headers</a> to be minted that are safe from APIs using <a for=/>fetch</a> that allow
+ control over <a for=/>headers</a> by developers, such as {{XMLHttpRequest}}. [[XHR]]
+
+ <p>The `<code>Set-Cookie</code>` header is semantically a response header, so it is not useful on
+ requests. Because `<code>Set-Cookie</code>` headers cannot be combined, they require more complex
+ handling in the {{Headers}} object. It is forbidden here to avoid leaking this complexity into
+ requests.
+</div>
 
 <p>A <dfn export>forbidden response-header name</dfn> is a <a for=/>header name</a> that is a
 <a>byte-case-insensitive</a> match for one of:
