Fetch Metadata Request Headers are an upcoming web platform feature designed to allow servers to protect themselves from cross-origin attacks. By providing information about the context of an HTTP request they allow the server to make a priori security decisions about whether or not to service a request based on the way it was made, and the context in which it will be used.
Specifically, two headers of note* are sent by the browser with every HTTP request:
Sec-Fetch-Site: The relationship between a request initiator’s origin and its target's origin
Sec-Fetch-Mode: The mode of the request
Sec-Fetch-Destis currently only enabled behind a flag and
Sec-Fetch-User, while conditionally sent, is not utilized by any of our proposed policies.
Resource Isolation Policy is a server-side protection mechanism intended to mitigate CSRF, XSSI, timing side-channels, and exfiltration via speculative execution attacks. At a high level, the policy rejects requests with:
Sec-Fetch-Site == 'cross-site' AND (Sec-Fetch-Mode != 'navigate'/'nested-navigate' OR method NOT IN [GET, HEAD])
Navigation Isolation Policy is a server-side protection mechanism intended to mitigate clickjacking and reflected XSS. At a high level, the policy rejects requests with:
Sec-Fetch-Site == 'cross-site' AND Sec-Fetch-Mode == 'navigate'/'nested-navigate'