assertThat(formEncode(8)).isEqualTo("%08")
    assertThat(formEncode(9)).isEqualTo("%09")
    // Browsers convert '\n' to '\r\n'
    assertThat(formEncode(10)).isEqualTo("%0A")
    assertThat(formEncode(11)).isEqualTo("%0B")
    assertThat(formEncode(12)).isEqualTo("%0C")
    // Browsers convert '\r' to '\r\n'
    assertThat(formEncode(13)).isEqualTo("%0D")
    assertThat(formEncode(14)).isEqualTo("%0E")

## Steps { #steps }

So, let's say you have a frontend running in your browser at `http://localhost:8080`, and its JavaScript is trying to communicate with a backend running at `http://localhost` (because we don't specify a port, the browser will assume the default port `80`).

///

/// info

To declare cookies, you need to use `Cookie`, because otherwise the parameters would be interpreted as query parameters.

///

/// info

Have in mind that, as **browsers handle cookies** in special ways and behind the scenes, they **don't** easily allow **JavaScript** to touch them.

    /**
     * Enumeration of supported browser types for user agent detection.
     * Each type represents a major browser family that can be detected
     * from the User-Agent header string.
     */
    public enum UserAgentType {
        /** Internet Explorer and Trident-based browsers */
        IE,
        /** Mozilla Firefox browser */
        FIREFOX,
        /** Google Chrome browser */
        CHROME,

* SSE - [Server-sent events](https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events)

Where the spec is ambiguous, OkHttp follows modern user agents such as popular Browsers or common HTTP Libraries.

OkHttp is principled and avoids being overly configurable, especially when such configuration is
to workaround a buggy server, test invalid scenarios or that contradict the relevant RFC.

```
http://localhost:8000/v1/agents/multivac
```

Even though the host of the malicious website and the local app is different, the browser won't trigger a CORS preflight request because:

* It's running without any authentication, it doesn't have to send any credentials.
* The browser thinks it's not sending JSON (because of the missing `Content-Type` header).

    // 3) Caller specified but assuming the visible defaults in MODERN_CIPHER_SUITES are rejigged
    // to match legacy i.e. the platform/provider
    //
    // Opting for 2 here and keeping MODERN_TLS in line with secure browsers.
    cipherSuitesAsString.intersect(socketEnabledCipherSuites, CipherSuite.ORDER_BY_NAME)
  } else {
    socketEnabledCipherSuites
  }

internal fun MediaType?.chooseCharset(): Pair<Charset, MediaType?> {

   * {@code co.uk}, {@code google.invalid}, or {@code blogspot.com}.
   *
   * <p>This method can be used to determine whether it will probably be possible to set cookies on
   * the domain, though even that depends on individual browsers' implementations of cookie
   * controls. See <a href="http://www.ietf.org/rfc/rfc2109.txt">RFC 2109</a> for details.
   *
   * @since 6.0
   */
  public boolean isUnderPublicSuffix() {

				// If escapeHTML is set, it also escapes <, >, and &
				// because they can lead to security holes when
				// user-controlled strings are rendered into JSON
				// and served to some browsers.
				dst.WriteString(`u00`)
				dst.WriteByte(hexTable[b>>4])
				dst.WriteByte(hexTable[b&0xF])
			}
			i++
			start = i
			continue
		}
		c, size := utf8.DecodeRuneInString(s[i:])

 * direct translation of the pseudocode presented there.
 *
 * Partner this class with [UTS #46] to implement IDNA2008 [RFC 5890] like most browsers do.
 *
 * [RFC 3492]: https://datatracker.ietf.org/doc/html/rfc3492
 * [RFC 5890]: https://datatracker.ietf.org/doc/html/rfc5890
 * [UTS #46]: https://www.unicode.org/reports/tr46/
 */
object Punycode {