Describe the bug
new Request() accepts forbidden HTTP methods like CONNECT, TRACE, and TRACK without throwing. the Fetch Standard explicitly forbids these methods and browsers throw a TypeError for them.

To Reproduce

new Request("https://example.com", { method: "CONNECT" })
// no error in Boa, expected TypeError

new Request("https://example.com", { method: "TRACE" })
// no error in Boa, expected TypeError

new Request("https://example.com", { method: "TRACK" })
// no error in Boa, expected TypeError

Verified in Node.js:

node -e 'try { new Request("https://example.com", { method: "CONNECT" }); console.log("OK"); } catch (e) { console.log(e.name + ": " + e.message); }'
# TypeError: 'CONNECT' HTTP method is unsupported.

node -e 'try { new Request("https://example.com", { method: "TRACE" }); console.log("OK"); } catch (e) { console.log(e.name + ": " + e.message); }'
# TypeError: 'TRACE' HTTP method is unsupported.

node -e 'try { new Request("https://example.com", { method: "TRACK" }); console.log("OK"); } catch (e) { console.log(e.name + ": " + e.message); }'
# TypeError: 'TRACK' HTTP method is unsupported.

Expected behavior
new Request() should throw a TypeError when a forbidden method is used, matching Node.js and browser behavior.

Build environment:

• OS: Windows 11
• Version: 10.0.26200
• Target triple: x86_64-pc-windows-msvc
• Rustc version: rustc 1.94.0 (4a4ef493e 2026-03-02)

Additional context
root cause is in core/runtime/src/fetch/request.rs - method is set without checking against the forbidden methods list from the Fetch spec.

spec reference: https://fetch.spec.whatwg.org/#forbidden-method