Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FF90: Adds support for HTTP Sec-Fetch-* headers #5499

Merged
merged 19 commits into from Jun 4, 2021
Merged

FF90: Adds support for HTTP Sec-Fetch-* headers #5499

merged 19 commits into from Jun 4, 2021

Conversation

hamishwillee
Copy link
Collaborator

@hamishwillee hamishwillee commented May 31, 2021
edited

This updates the documents for Sec-Fetch-* headers as requested in #5375 (for https://bugzilla.mozilla.org/show_bug.cgi?id=1695911)

This depends a bit on BCD to tell me if this should still be considered experimental: BCD

@hamishwillee hamishwillee mentioned this pull request May 31, 2021
Closed
@github-actions
Copy link
Contributor

github-actions bot commented May 31, 2021
edited

Preview URLs

Flaws

Note! 7 documents with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/HTTP/Headers
Title: HTTP headers
on GitHub
Flaw count: 3

  • macros:
    • /en-US/docs/Glossary/COEP does not exist
    • /en-US/docs/Glossary/COOP does not exist
    • /en-US/docs/Glossary/CORP does not exist

URL: /en-US/docs/Glossary/Fetch_metadata_request_header
Title: Fetch metadata request header
on GitHub
Flaw count: 1

  • macros:
    • /en-US/docs/Glossary/resource_isolation_policy does not exist

External URLs

URL: /en-US/docs/Web/HTTP/Headers
Title: HTTP headers
on GitHub

No new external URLs

URL: /en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode
Title: Sec-Fetch-Mode
on GitHub

URL: /en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest
Title: Sec-Fetch-Dest
on GitHub

URL: /en-US/docs/Web/HTTP/Headers/Sec-Fetch-User
Title: Sec-Fetch-User
on GitHub

URL: /en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site
Title: Sec-Fetch-Site
on GitHub

URL: /en-US/docs/Web/API/Request/mode
Title: Request.mode
on GitHub

No new external URLs

URL: /en-US/docs/Mozilla/Firefox/Releases/90
Title: Firefox 90 for developers
on GitHub

URL: /en-US/docs/Glossary/Fetch_metadata_request_header
Title: Fetch metadata request header
on GitHub

URL: /en-US/docs/Glossary/HTTP_header
Title: HTTP header
on GitHub

No new external URLs

(this comment was updated 2021-06-04 05:00:13.861751)

@hamishwillee hamishwillee marked this pull request as ready for review June 1, 2021 06:44
@hamishwillee hamishwillee requested review from a team as code owners June 1, 2021 06:44
@hamishwillee hamishwillee requested review from Rumyra and removed request for a team June 1, 2021 06:45
hamishwillee
hamishwillee commented Jun 1, 2021
View reviewed changes
files/en-us/web/http/headers/index.html
<dl>
<dt>{{HTTPHeader("Sec-Fetch-Site")}}</dt>
<dd>It is a request header that indicates the relationship between a request initiator's origin and its target's origin. It is a Structured Header whose value is a token with possible values <code>cross-site</code>, <code>same-origin</code>, <code>same-site</code>, and <code>none</code>.</dd>
<dt>{{HTTPHeader("Sec-Fetch-Mode")}}</dt>
<dd>It is a request header that indicates the request's mode to a server. It is a Structured Header whose value is a token with possible values <code>cors</code>, <code>navigate</code>, <code>nested-navigate</code>, <code>no-cors</code>, <code>same-origin</code>, and <code>websocket</code>.</dd>
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note, nested-navigate and nested-document are not present in the spec

hamishwillee
hamishwillee commented Jun 1, 2021
View reviewed changes
files/en-us/glossary/fetch_metadata_request_header/index.html Outdated

<ul>
<li>{{HTTPHeader("Sec-Fetch-Site")}}</li>
<li>{{HTTPHeader("Sec-Fetch-Mode")}}</li>
<li>{{HTTPHeader("Sec-Fetch-User")}}</li>
<li>{{HTTPHeader("Sec-Fetch-Dest")}}</li>
<li><a href="https://web.dev/fetch-metadata/">Protect your resources from web attacks with Fetch Metadata</a> (web.dev)</li>
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good doc on the headers, and how you use them to create a resource isolation policy. It omits the User header. We could do something similar, but link is appropriate IMO for now. I have linked this and the following playground in all the docs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems better to link this (and the one below) after the list of the headers in its own paragraph.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Good point. I have handled this by pulling the headers under their own bullet "Related headers". Looks a lot better.

@hamishwillee
Copy link
Collaborator Author

This is ready for review. @annevk @Elchi3 You may be interested in providing feedback.

@annevk annevk mentioned this pull request Jun 1, 2021
Closed
annevk
annevk reviewed Jun 1, 2021
View reviewed changes
Copy link
Contributor

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Generally looks good to me.

files/en-us/glossary/fetch_metadata_request_header/index.html Outdated

<ul>
<li>{{HTTPHeader("Sec-Fetch-Site")}}</li>
<li>{{HTTPHeader("Sec-Fetch-Mode")}}</li>
<li>{{HTTPHeader("Sec-Fetch-User")}}</li>
<li>{{HTTPHeader("Sec-Fetch-Dest")}}</li>
<li><a href="https://web.dev/fetch-metadata/">Protect your resources from web attacks with Fetch Metadata</a> (web.dev)</li>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems better to link this (and the one below) after the list of the headers in its own paragraph.

files/en-us/glossary/http_header/index.html Outdated Show resolved Hide resolved
files/en-us/web/http/headers/sec-fetch-dest/index.html Outdated Show resolved Hide resolved
files/en-us/web/http/headers/sec-fetch-site/index.html Outdated Show resolved Hide resolved
@hamishwillee @annevk
Update files/en-us/glossary/http_header/index.html
8e53895 
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
dergoegge
dergoegge suggested changes Jun 1, 2021
View reviewed changes
Copy link
Contributor

@dergoegge dergoegge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none is not a valid value for sec-fetch-dest

But other than that, this looks good to me.

files/en-us/web/http/headers/sec-fetch-site/index.html Outdated Show resolved Hide resolved
files/en-us/web/http/headers/sec-fetch-site/index.html Outdated Show resolved Hide resolved
@hamishwillee
Copy link
Collaborator Author

@Rumyra This has been checked by the technical experts, so should be good for your review and merge.

Rumyra
Rumyra approved these changes Jun 4, 2021
View reviewed changes
Copy link
Collaborator

@Rumyra Rumyra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @hamishwillee - awesome work 👍

@Rumyra Rumyra merged commit 5d15b2b into mdn:main Jun 4, 2021
@hamishwillee hamishwillee deleted the ff90_http_sec_fetch_headers branch June 7, 2021 01:04
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@annevk annevk annevk left review comments

@dergoegge dergoegge dergoegge requested changes

@Rumyra Rumyra Rumyra approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hamishwillee @Rumyra @annevk @dergoegge