Fetch Metadata

Introduces a new HTTP request header that sends additional metadata about a request's provenance (is it cross-site, is it triggered from <img>, etc.) to the server to allow it to make security decisions which might mitigate some kinds of attacks based on timing the server's response (xsleaks and others).

Comments

For example, it's unlikely that a bank's "Transfer all money" endpoint would be referenced from an img tag, and likewise unlikely that evil.com is going to be making any legitimate requests whatsoever. Ideally, the server could reject these requests a priori rather than deliver them to the application backend.

Specification

Editor's draft

Status in Chromium

Blink>SecurityFeature


Enabled by default (tracking bug) in:

  • Chrome for desktop release 76
  • Chrome for Android release 76
  • Android WebView release 76

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Mixed public signals
  • No public signals
  • No public signals
  • Positive

Owner

Intent to Implement url

Intent to Implement thread

Last updated on 2019-06-04