New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FF90: Adds support for HTTP Sec-Fetch-* headers #5499
Conversation
<dl> | ||
<dt>{{HTTPHeader("Sec-Fetch-Site")}}</dt> | ||
<dd>It is a request header that indicates the relationship between a request initiator's origin and its target's origin. It is a Structured Header whose value is a token with possible values <code>cross-site</code>, <code>same-origin</code>, <code>same-site</code>, and <code>none</code>.</dd> | ||
<dt>{{HTTPHeader("Sec-Fetch-Mode")}}</dt> | ||
<dd>It is a request header that indicates the request's mode to a server. It is a Structured Header whose value is a token with possible values <code>cors</code>, <code>navigate</code>, <code>nested-navigate</code>, <code>no-cors</code>, <code>same-origin</code>, and <code>websocket</code>.</dd> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note, nested-navigate
and nested-document
are not present in the spec
|
||
<ul> | ||
<li>{{HTTPHeader("Sec-Fetch-Site")}}</li> | ||
<li>{{HTTPHeader("Sec-Fetch-Mode")}}</li> | ||
<li>{{HTTPHeader("Sec-Fetch-User")}}</li> | ||
<li>{{HTTPHeader("Sec-Fetch-Dest")}}</li> | ||
<li><a href="https://web.dev/fetch-metadata/">Protect your resources from web attacks with Fetch Metadata</a> (web.dev)</li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good doc on the headers, and how you use them to create a resource isolation policy. It omits the User header. We could do something similar, but link is appropriate IMO for now. I have linked this and the following playground in all the docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems better to link this (and the one below) after the list of the headers in its own paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Good point. I have handled this by pulling the headers under their own bullet "Related headers". Looks a lot better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Generally looks good to me.
|
||
<ul> | ||
<li>{{HTTPHeader("Sec-Fetch-Site")}}</li> | ||
<li>{{HTTPHeader("Sec-Fetch-Mode")}}</li> | ||
<li>{{HTTPHeader("Sec-Fetch-User")}}</li> | ||
<li>{{HTTPHeader("Sec-Fetch-Dest")}}</li> | ||
<li><a href="https://web.dev/fetch-metadata/">Protect your resources from web attacks with Fetch Metadata</a> (web.dev)</li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems better to link this (and the one below) after the list of the headers in its own paragraph.
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
none
is not a valid value for sec-fetch-dest
But other than that, this looks good to me.
…shwillee/content into ff90_http_sec_fetch_headers
Co-authored-by: Niklas Gögge <n.goeggi@gmail.com>
Co-authored-by: Niklas Gögge <n.goeggi@gmail.com>
@Rumyra This has been checked by the technical experts, so should be good for your review and merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @hamishwillee - awesome work 👍
This updates the documents for
Sec-Fetch-*
headers as requested in #5375 (for https://bugzilla.mozilla.org/show_bug.cgi?id=1695911)This depends a bit on BCD to tell me if this should still be considered experimental: BCD