The cookie and cookie2 are stripped from outgoing requests when set by the user on the web. For servers, this does not make sense because they do not have a cookie jar.
We should allow setting these headers.
The outbound set-cookie header is disallowed only because of technical difficulty with implementation in browsers - we could keep this disallowed, or allow it - it does not matter much I think.
The
cookieandcookie2are stripped from outgoing requests when set by the user on the web. For servers, this does not make sense because they do not have a cookie jar.We should allow setting these headers.
The outbound
set-cookieheader is disallowed only because of technical difficulty with implementation in browsers - we could keep this disallowed, or allow it - it does not matter much I think.