Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetch Metadata Request Headers #88

Closed
annevk opened this issue May 4, 2018 · 3 comments · Fixed by #223
Closed

Fetch Metadata Request Headers #88

annevk opened this issue May 4, 2018 · 3 comments · Fixed by #223
Labels
position: positive venue: W3C Specifications in W3C Working Groups venue: WHATWG Specifications in a WHATWG Workstream

Comments

@annevk
Copy link
Contributor

annevk commented May 4, 2018
edited
Loading

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1508292.

See whatwg/fetch#700. Also mentioned in #80. Concerns mentioned in that issue:

My concern with that header is that it makes referrer leaking worse, unless we restrict it to revealing one of same-origin, same-site, or cross-site.

Another concern is that it's yet another request header. It could perhaps be made opt-in, but that requires new infrastructure that hasn't materialized yet. As such I don't think this is something we can or want to do soon.
@dbaron dbaron added the venue: WHATWG Specifications in a WHATWG Workstream label Aug 9, 2018
@jonathanKingston
Copy link

jonathanKingston commented Mar 8, 2019
edited
Loading

@annevk should this be renamed to fetch metadata? Also can decide if there are more issues? The TAG closed their review and have been addressed: w3ctag/design-reviews#280

@annevk annevk changed the title Fetch: Sec-Site Fetch Metadata Request Headers Mar 8, 2019
@annevk
Copy link
Contributor Author

annevk commented Mar 8, 2019

Someone will have to decide whether the additional fingerprinting bits and increase in request headers is worth it.

I'm quite convinced some of this is very useful for sites to protect their resources though.

I wonder if we could perhaps not expose "destination" and expose the main relevant bit that has through mode instead: w3c/webappsec-fetch-metadata#16.

@annevk
Copy link
Contributor Author

annevk commented Sep 23, 2019

As an update, various security folks at Mozilla have discussed this more and Mozilla is positive on this, with the caveat that there's a couple outstanding issues still that need to be sorted.

@annevk annevk added the venue: W3C Specifications in W3C Working Groups label Sep 23, 2019
annevk added a commit that referenced this issue Nov 19, 2019
@annevk
Add Fetch Metadata Request Headers position
c2ec662 
Closes #88.
@annevk annevk mentioned this issue Nov 19, 2019
Merged
annevk added a commit that referenced this issue Dec 5, 2019
@annevk
Add Fetch Metadata Request Headers position
bea1466 
Closes #88.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
position: positive venue: W3C Specifications in W3C Working Groups venue: WHATWG Specifications in a WHATWG Workstream
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Fetch Metadata Request Headers position mozilla/standards-positions
4 participants
@zcorpan @dbaron @jonathanKingston @annevk