should Cookie headers be ignored by 'parameters'?

[karenetheridge]

In https://spec.openapis.org/oas/v3.1.0#fixed-fields-9: "If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored." Should this also include "Cookie" and/or "Set-Cookie", since these are handled by the 'cookie' parameter type?

Similarly for the header object at https://spec.openapis.org/oas/v3.1.0#header-object (and I noticed that "Accept", "Content-Type" or "Authorization" are not excluded there, and probably should be).

[handrews]

I think for the Header Object the "follows the structure of the Parameter Object" is sufficient, because the forbidden names are in the field definition. But we should say something about Cookie. I'm going with its behavior being undefined (for compatibility purposes - we can't make it illegal).

[handrews]

I think it's possible to describe Set-Cookie in a Header Object as it is a response header and its use is discussed in issue #1237, so I'm just going to make a note about Cookie.

[handrews]

PR merged for 3.0.4 and ported to 3.1.1 via PR #3921!
This is addressed by the new Appendix D.