Fetch: From-Origin

[annevk]

If there are any concerns around From-Origin as outlined at whatwg/fetch#687 that'd be good to know.

There's also an alternative proposed in that thread: an Origin header that's included for every request. My concern with that header is that it makes referrer leaking worse, unless we restrict it to revealing one of same-origin, same-site, or cross-site.

(An architectural question here is that this is yet another piece of web infrastructure proposing a dependency on Public Suffix. Given that WebAuthn does it too, I kinda think we've already taken the decision to embrace it, but it's worth calling out.)

[annevk]

We've discussed this internally and those partaking in that discussion agreed on worth prototyping as a position, provided the feature only affects whether the fetch in question succeeds or fails and has no side effects beyond that.

[annevk]

Closing this in favor of https://bugzilla.mozilla.org/show_bug.cgi?id=1459573. It probably doesn't need a new entry on the dashboard.