Fetch Metadata Request Headers

Fetch Metadata Request Headers are an upcoming web platform feature designed to allow servers to protect themselves from cross-origin attacks. By providing information about the context of an HTTP request they allow the server to make a priori security decisions about whether or not to service a request based on the way it was made, and the context in which it will be used.

Specifically, two headers of note* are sent by the browser with every HTTP request:

[*] The standard also defines two other headers which are less critical for server-side security decisions: Sec-Fetch-Dest is currently only enabled behind a flag and Sec-Fetch-User, while conditionally sent, is not utilized by any of our proposed policies.

Fetch Metadata policies

Resource Isolation Policy

Resource Isolation Policy is a server-side protection mechanism intended to mitigate CSRF, XSSI, timing side-channels, and exfiltration via speculative execution attacks. At a high level, the policy rejects requests with:
Sec-Fetch-Site == 'cross-site' AND (Sec-Fetch-Mode != 'navigate'/'nested-navigate' OR method NOT IN [GET, HEAD])

Navigation Isolation Policy

Navigation Isolation Policy is a server-side protection mechanism intended to mitigate clickjacking and reflected XSS. At a high level, the policy rejects requests with:
Sec-Fetch-Site == 'cross-site' AND Sec-Fetch-Mode == 'navigate'/'nested-navigate'

Docs

  翻译: