permissions-policy is not forbidden request or response header

[hamishwillee]

Fixes #41843

Permissions-Policy is not a forbidden request header.

[github-actions]

Preview URLs

• /en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy

Flaws (3)

URL: /en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
Title: Permissions-Policy header
Flaw count: 3

• unknown:
  • No generic content config found
  • no blog root
  • no blog root

(comment last updated: 2025-11-14 06:04:49)

[Josh-Cena]

This is not a single instance. The problem is that before #38296, a nontrivial number of pages wrote "Forbidden header name" as if it meant "forbidden request or response header name", but in fact the spec uses this term explicitly for "Forbidden request header name", so when #38296 updated all pages to use the unambiguous new term, these pages become blatantly wrong (whereas they were covertly wrong before). For example, Accept-CH is a response header, but its page also has "Forbidden request header". This is why I labeled the issue as "effort: large": a proper fix needs to go through every response header and see if this is an issue. I don't know a good way to automate this because I don't have a good way to know if a header is response, request, or both.

[Josh-Cena]

Oh, I searched for >Header type</th>[\n ]*<td>[\n ]*\{\{Glossary\("Response header"\)\}\}[\n ]*</td>(\n|.)*Forbidden request header and looks like this is an issue for basically every single response header page.

[hamishwillee]

@Josh-Cena Yes. Thanks for the clarification. We should fix this everywhere.

I don't have a good way to know if a header is response, request, or both.

There is no easy way to automate this. The starting sentence for every header is supposed to say this, but I doubt does so reliably (i.e. The XXX HTTP [response | request | response and request] header is ...).

So it has to be manual. I personally am happy for this to be the start of that work.

[Josh-Cena]

You can do a search for >Header type</th>[\n ]*<td>[\n ]*\{\{Glossary\("Response header"\)\}\}[\n ]*</td>(\n|.)*Forbidden request header. I found the following:

• files/en-us/web/http/reference/headers/accept-ch/index.md
• files/en-us/web/http/reference/headers/accept-patch/index.md
• files/en-us/web/http/reference/headers/accept-post/index.md
• files/en-us/web/http/reference/headers/accept-ranges/index.md
• files/en-us/web/http/reference/headers/access-control-allow-credentials/index.md
• files/en-us/web/http/reference/headers/access-control-allow-headers/index.md
• files/en-us/web/http/reference/headers/access-control-allow-methods/index.md
• files/en-us/web/http/reference/headers/access-control-allow-origin/index.md
• files/en-us/web/http/reference/headers/access-control-expose-headers/index.md
• files/en-us/web/http/reference/headers/access-control-max-age/index.md
• files/en-us/web/http/reference/headers/age/index.md
• files/en-us/web/http/reference/headers/allow/index.md
• files/en-us/web/http/reference/headers/alt-svc/index.md
• files/en-us/web/http/reference/headers/attribution-reporting-register-source/index.md
• files/en-us/web/http/reference/headers/attribution-reporting-register-trigger/index.md
• files/en-us/web/http/reference/headers/clear-site-data/index.md
• files/en-us/web/http/reference/headers/content-security-policy/index.md
• files/en-us/web/http/reference/headers/content-security-policy-report-only/index.md
• files/en-us/web/http/reference/headers/critical-ch/index.md
• files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md
• files/en-us/web/http/reference/headers/cross-origin-resource-policy/index.md
• files/en-us/web/http/reference/headers/expect-ct/index.md
• files/en-us/web/http/reference/headers/expires/index.md
• files/en-us/web/http/reference/headers/integrity-policy/index.md
• files/en-us/web/http/reference/headers/integrity-policy-report-only/index.md
• files/en-us/web/http/reference/headers/location/index.md
• files/en-us/web/http/reference/headers/nel/index.md
• files/en-us/web/http/reference/headers/no-vary-search/index.md
• files/en-us/web/http/reference/headers/observe-browsing-topics/index.md
• files/en-us/web/http/reference/headers/origin-agent-cluster/index.md
• files/en-us/web/http/reference/headers/permissions-policy/index.md
• files/en-us/web/http/reference/headers/proxy-authenticate/index.md
• files/en-us/web/http/reference/headers/referrer-policy/index.md
• files/en-us/web/http/reference/headers/refresh/index.md
• files/en-us/web/http/reference/headers/report-to/index.md
• files/en-us/web/http/reference/headers/reporting-endpoints/index.md
• files/en-us/web/http/reference/headers/retry-after/index.md
• files/en-us/web/http/reference/headers/sec-websocket-accept/index.md
• files/en-us/web/http/reference/headers/sec-websocket-version/index.md
• files/en-us/web/http/reference/headers/server/index.md
• files/en-us/web/http/reference/headers/server-timing/index.md
• files/en-us/web/http/reference/headers/service-worker-allowed/index.md
• files/en-us/web/http/reference/headers/set-cookie/index.md
• files/en-us/web/http/reference/headers/set-login/index.md
• files/en-us/web/http/reference/headers/sourcemap/index.md
• files/en-us/web/http/reference/headers/speculation-rules/index.md
• files/en-us/web/http/reference/headers/strict-transport-security/index.md
• files/en-us/web/http/reference/headers/supports-loading-mode/index.md
• files/en-us/web/http/reference/headers/timing-allow-origin/index.md
• files/en-us/web/http/reference/headers/tk/index.md
• files/en-us/web/http/reference/headers/vary/index.md
• files/en-us/web/http/reference/headers/www-authenticate/index.md
• files/en-us/web/http/reference/headers/x-content-type-options/index.md
• files/en-us/web/http/reference/headers/x-dns-prefetch-control/index.md
• files/en-us/web/http/reference/headers/x-frame-options/index.md
• files/en-us/web/http/reference/headers/x-permitted-cross-domain-policies/index.md
• files/en-us/web/http/reference/headers/x-robots-tag/index.md
• files/en-us/web/http/reference/headers/x-xss-protection/index.md

[hamishwillee]

OK, I've done all of the other listed response headers in #41946 - we might still be missing some of course.

[bsmth]

Some comments in the linked PR, but leaving a +1 here, too 👍🏻