Bug ID: JDK-8203850 java.net.http HTTP client should allow specifying Origin and Referer headers

Type: Enhancement
Component: core-libs
Sub-Component: java.net
Affected Version: 10,11

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2018-05-25
Updated: 2018-10-19
Resolved: 2018-10-12

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 12
11.0.2Fixed	12 b16Fixed

A DESCRIPTION OF THE PROBLEM :
Apparenty, those headers are forbidden in HTTP client because XMLHttpRequest API forbids those. (https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name). XMLHttpRequest API forbids those, as allowing them would make Cross-origin resource sharing API insecure. This isn't an issue for Java HTTP client, as it doesn't implement CORS, and due to not being a web browser likely never will. This is useful, as some websites require those headers to work.

Fix Request. This fix is important as it removes an unnecessary implementation specific restriction on the set of headers that may be set by application code. This enables a number of use-cases where said headers need to be set. A new automated test has been added, and the existing tests pass successfully. The backport patch applies cleanly.

12-10-2018

Currently I'm working on JDK-8211308 which adds HTTP/2 support[1] to OpenJFX/WebView component. Since WebView is a browser component, it sets few request headers like "Referer", "Origin" which are restricted by java.net.http.HttpHeaders. [1] https://github.com/javafxports/openjdk-jfx/pull/247

11-10-2018