The Fetch spec forbids JavaScript from setting headers with a Sec- prefix — only the browser can set them. Since the browser-set request headers (Redirect-Origin, Redirect-Query when forwarded) need the same protection, consider using Sec-Redirect-* for the request-side headers.
This would give a clear split:
- Redirect-Query / Redirect-Path — response headers set by servers
- Sec-Redirect-Origin / Sec-Redirect-Query — request headers set by browser only
This aligns with existing Fetch spec conventions (Sec-Fetch-Site, Sec-Fetch-Mode, etc.).
Raised during IETF 125 presentation preparation.
The Fetch spec forbids JavaScript from setting headers with a
Sec-prefix — only the browser can set them. Since the browser-set request headers (Redirect-Origin, Redirect-Query when forwarded) need the same protection, consider usingSec-Redirect-*for the request-side headers.This would give a clear split:
This aligns with existing Fetch spec conventions (Sec-Fetch-Site, Sec-Fetch-Mode, etc.).
Raised during IETF 125 presentation preparation.