secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Fetch Metadata Browser Headers

Open ThunderSon opened this issue 5 years ago • 1 comments

Feature Request

Adding a new header

Is the header supported by any user agent? If so, which?

Chrome v76 and chromium-based browsers v79. Firefox is working to release this soon.

What does it do?

It's a resource isolation policy that the browser sends to the server in order to provide more context and allow the server to allow or deny the content access. Attacks such as CSRF, XSSI, XS-leaks, etc. will be much harder to pull once the server knows what the user-agent is allowing and expecting.

What are the headers for this policy?

  • Sec-Fetch-Site: ['same-origin', 'same-site', 'none', 'cross-site']
  • Sec-Fetch-Mode: ['same-origin', 'no-cors', 'cors', 'navigate']
  • Sec-Fetch-Dest: the destination of the returned content (e.g. image)

Where does the specification live?

https://www.w3.org/TR/fetch-metadata/ I'd recommend reading the following article before checking the specification: https://web.dev/fetch-metadata/

CC: @lweichselbaum

ThunderSon avatar Jun 15 '20 20:06 ThunderSon

Thanks for the feature request @ThunderSon. Do you know if there is a corresponding issue/pr in rails/rails?

Similar to https://github.com/github/secure_headers/issues/275, I'd rather invest in rails core. Yes, this library supports all rack-based applications but I've been working on archiving this library for a long time in absence of someone willing to maintain this long-term.

oreoshake avatar Jun 16 '20 00:06 oreoshake