JDK-8203850 : java.net.http HTTP client should allow specifying Origin and Referer headers
  • Type: Enhancement
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 10,11
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-05-25
  • Updated: 2018-10-19
  • Resolved: 2018-10-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11
Related Reports
Blocks :  
Apparenty, those headers are forbidden in HTTP client because XMLHttpRequest API forbids those. (https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name). XMLHttpRequest API forbids those, as allowing them would make Cross-origin resource sharing API insecure. This isn't an issue for Java HTTP client, as it doesn't implement CORS, and due to not being a web browser likely never will. This is useful, as some websites require those headers to work.

Fix Request. This fix is important as it removes an unnecessary implementation specific restriction on the set of headers that may be set by application code. This enables a number of use-cases where said headers need to be set. A new automated test has been added, and the existing tests pass successfully. The backport patch applies cleanly.

Currently I'm working on JDK-8211308 which adds HTTP/2 support[1] to OpenJFX/WebView component. Since WebView is a browser component, it sets few request headers like "Referer", "Origin" which are restricted by java.net.http.HttpHeaders. [1] https://github.com/javafxports/openjdk-jfx/pull/247