Fetch Metadata Browser Headers

[ThunderSon]

Feature Request

Adding a new header

Is the header supported by any user agent? If so, which?

Chrome v76 and chromium-based browsers v79. Firefox is working to release this soon.

What does it do?

It's a resource isolation policy that the browser sends to the server in order to provide more context and allow the server to allow or deny the content access. Attacks such as CSRF, XSSI, XS-leaks, etc. will be much harder to pull once the server knows what the user-agent is allowing and expecting.

What are the headers for this policy?

• Sec-Fetch-Site: ['same-origin', 'same-site', 'none', 'cross-site']
• Sec-Fetch-Mode: ['same-origin', 'no-cors', 'cors', 'navigate']
• Sec-Fetch-Dest: the destination of the returned content (e.g. image)

Where does the specification live?

https://www.w3.org/TR/fetch-metadata/
I'd recommend reading the following article before checking the specification:
https://web.dev/fetch-metadata/

CC: @lweichselbaum

[oreoshake]

Thanks for the feature request @ThunderSon. Do you know if there is a corresponding issue/pr in rails/rails?

Similar to #275, I'd rather invest in rails core. Yes, this library supports all rack-based applications but I've been working on archiving this library for a long time in absence of someone willing to maintain this long-term.