Fetch Metadata

Category: Security
Type: New or changed feature
Status: Enabled by default (Chrome 76)
Intent stage: Prepare to ship

Summary

Introduces a new set of HTTP request headers, including `Sec-Fetch-Site`, `Sec-Fetch-Mode` and `Sec-Fetch-User`, that sends additional metadata about a request's provenance (is it cross-site, is it triggered from <img>, etc.) to the server to allow it to make security decisions which might mitigate some kinds of attacks based on timing the server's response (xsleaks and others).

Standards & signals

Specification: https://mikewest.github.io/sec-metadata/
Firefox: No signal — https://github.com/mozilla/standards-positions/issues/88 is ongoing, but I've heard positive things from individuals.
Safari: No signal
Web developers: Positive — Dropbox wants to deploy this https://github.com/w3ctag/design-reviews/issues/280#issuecomment-440896562. Google wants to deploy this. I've heard positive comments from GitHub as well.
Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=843478

Explainers: https://github.com/mikewest/sec-metadata

View on chromestatus.com