index.bs

<pre class='metadata'>
Title: Fetch Metadata Request Headers
Shortname: fetch-metadata
Level: 1
Status: DREAM
Editor: Mike West 56384, Google Inc., mkwst@google.com
!Explainer: https://github.com/mikewest/sec-metadata
Abstract:
    This document defines a set of Fetch metadata request headers that aim to provide servers with
    enough information to make <i lang="la">a priori</i> decisions about whether or not to service
    a request based on the way it was made, and the context in which it will be used.
Markup Shorthands: markdown yes
</pre>

<pre boilerplate="copyright">&copy;2018, Google, Inc. All rights reserved.</pre>

<pre class="biblio">
{
  "I-D.ietf-httpbis-header-structure": {
    "authors": [ "Mark Nottingham", "Poul-Henning Kamp" ],
    "href": "https://tools.ietf.org/html/draft-ietf-httpbis-header-structure",
    "title": "Structured Headers for HTTP",
    "status": "ID",
    "publisher": "IETF"
  },
  "mnot-designing-headers": {
    "authors": [ "Mark Nottingham" ],
    "href": "https://www.mnot.net/blog/2018/11/27/header_compression",
    "title": "Designing Headers for HTTP Compression"
  }
}
</pre>

<pre class="anchors">
urlPrefix: https://tools.ietf.org/html/draft-ietf-httpbis-header-structure; spec: I-D.ietf-httpbis-header-structure
    type: dfn
        text: structured header; url: #
    for: structured header
        type: dfn
            text: token; url: #section-3.9
            text: boolean; url: #section-3.11
    type: abstract-op
        text: serialize Structured Header; url: #section-4.1
</pre>

<pre class="link-defaults">
spec:fetch; type:dfn; for:/; text:request
spec:fetch; type:dfn; text:main fetch
spec:url; type:dfn; for:/; text:url
</pre>

Introduction {#intro}
=====================

Interesting web applications generally end up with a large number of web-exposed endpoints that
might reveal sensitive data about a user, or take action on a user's behalf. Since users' browsers
can be easily convinced to make requests to those endpoints, and to include the users' ambient
credentials (cookies, privileged position on an intranet, etc), applications need to be very careful
about the way those endpoints work in order to avoid abuse.

Being careful turns out to be hard in some cases ("simple" CSRF), and practically impossible in
others (cross-site search, timing attacks, etc). The latter category includes timing attacks based
on the server-side processing necessary to generate certain responses, and length measurements (both
via web-facing timing attacks and passive network attackers).

It would be helpful if servers could make more intelligent decisions about whether or not to respond
to a given request based on the way that it's made in order to mitigate the latter category. For
example, it seems pretty unlikely that a "Transfer all my money" endpoint on a bank's server would
expect to be referenced from an <{img}> tag, and likewise unlikely that `evil.com` is going to be
making any legitimate requests whatsoever. Ideally, the server could reject these requests
<i lang="la">a priori</i> rather than delivering them to the application backend.

Here, we describe a mechanims by which user agents can enable this kind of decision-making by
adding additional context to outgoing requests. By delivering metadata to a server in a set of
[=fetch metadata headers=], we enable applications to quickly reject requests based on testing a
set of preconditions. That work can even be lifted up above the application layer (to reverse
proxies, CDNs, etc) if desired.

Examples {#examples}
--------------------

A request generated by a <{picture}> element would result in a request containing the following
HTTP request headers:

```
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross
Sec-Fetch-User: ?F
```

A top-level navigation from `https://example.com` to `https://example.com/` caused by a user's click
on an in-page link would result in a request containing the following HTTP request header:

```
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?T
```

Fetch Metadata Headers {#framework}
===================================

The following sections define several <dfn export>fetch metadata headers</dfn>, each of which
exposes an interesting [=request=] attribute to a server.

The `Sec-Fetch-Dest` HTTP Request Header {#sec-fetch-dest-header}
-----------------------------------------------------------------

The <dfn http-header export>`Sec-Fetch-Dest`</dfn> HTTP request header exposes a [=request=]'s
[=request/destination=] to a server. It is a [=Structured Header=] whose value MUST be a
[=structured header/token=]. [[!I-D.ietf-httpbis-header-structure]] Its ABNF is:

```
Sec-Fetch-Dest = sh-token
```

Valid `Sec-Fetch-Dest` values include "`audio`", "`audioworklet`", "`document`", "`embed`",
"`empty`", "`font`", "`image`", "`manifest`", "`object`", "`paintworklet`", "`report`",
"`script`", "`serviceworker`", "`sharedworker`", "`style`", "`track`", "`video`", "`worker`",
"`xslt`", and "`nested-document`".

In order to support forward-compatibility with as-yet-unknown request types, servers SHOULD ignore
this header if it contains an invalid value.

<pre class="example">
// `fetch()`'s destination is the empty string:
Sec-Fetch-Dest: empty

// `<img>`'s destination is "image"
Sec-Fetch-Dest: image

// `new Worker()`'s destination is "worker"
Sec-Fetch-Dest: worker

// Top-level navigations' destinations are "document"
Sec-Fetch-Dest: document

// `&lt;iframe&gt;` navigations' destinations are "nested-document"
Sec-Fetch-Dest: nested-document
</pre>

<div algorithm="set `Sec-Fetch-Dest`">
To <dfn abstract-op lt="set-dest">set the `Sec-Fetch-Dest` header</dfn> for a [=request=] |r|:

<ol class="algorithm">
    1.  Assert: |r|'s [=request/url=] is a [=potentially trustworthy URL=].
    
    2.  Let |header| be a [=Structured Header=] whose value is a [=structured header/token=].

    3.  If |r|'s [=request/destination=] is the empty string, set |header|'s value to the string
        "`empty`". Otherwise, set |header|'s value to |r|'s [=request/destination=].
       
        Note: We map Fetch's empty string [=request/destination=] onto an explicit "`empty`"
        [=structured header/token=] in order to simplify processing.

    4.  If |header|'s value is "`document`", and |r|'s [=request/reserved client=] is either `null`
        or an [=environment=] whose [=target browsing context=] is a [=nested browsing context=],
        set |header's| to "`nested-document`".

        ISSUE(whatwg/fetch#755): Fetch currently does not define `nested-document`. It would be
        ideal if we could add it. Until then, we check the request's properties in this algorithm
        to distinguish "`document`" and "`nested-document`".

    5.  Let |value| be the result of [$serialize Structured Header|serializing$] |header|.

    6.  [=header list/Set=] &#96;<a http-header>`Sec-Fetch-Dest`</a>&#96;/|value| in |r|'s
        [=request/header list=].
</ol>
</div>



The `Sec-Fetch-Mode` HTTP Request Header {#sec-fetch-mode-header}
-----------------------------------------------------------------

The <dfn http-header export>`Sec-Fetch-Mode`</dfn> HTTP request header exposes a [=request=]'s
[=request/mode=] to a server. It is a [=Structured Header=] whose value is a
[=structured header/token=]. [[!I-D.ietf-httpbis-header-structure]] Its ABNF is:

```
Sec-Fetch-Mode = sh-token
```

Valid `Sec-Fetch-Mode` values include "`cors`", "`navigate`", "`no-cors`", "`same-origin`",
and "`websocket`". In order to support forward-compatibility with as-yet-unknown request types,
servers SHOULD ignore this header if it contains an invalid value.

<div algorithm="set `Sec-Fetch-Mode`">
To <dfn abstract-op lt="set-mode">set the `Sec-Fetch-Mode` header</dfn> for a [=request=] |r|:

<ol class="algorithm">
    1.  Assert: |r|'s [=request/url=] is a [=potentially trustworthy URL=].
    
    2.  Let |header| be a [=Structured Header=] whose value is a [=structured header/token=].

    3.  Set |header|'s value to |r|'s [=request/mode=].

    4.  Let |value| be the result of [$serialize Structured Header|serializing$] |header|.

    5.  [=header list/Set=] &#96;<a http-header>`Sec-Fetch-Mode`</a>&#96;/|value| in |r|'s
        [=request/header list=].
</ol>
</div>


The `Sec-Fetch-Site` HTTP Request Header {#sec-fetch-site-header}
-----------------------------------------------------------------

The <dfn http-header export>`Sec-Fetch-Site`</dfn> HTTP request header exposes the relationship
between a [=request=] initiator's origin and its target's origin. It is a [=Structured Header=]
whose value is a [=structured header/token=]. [[!I-D.ietf-httpbis-header-structure]] Its ABNF is:

```
Sec-Fetch-Site = sh-token
```

Valid `Sec-Fetch-Site` values include "`cross-site`", "`same-origin`", and "`same-site`". In order
to support forward-compatibility with as-yet-unknown request types, servers SHOULD ignore this
header if it contains an invalid value.

<div algorithm="set `Sec-Fetch-Site`">
To <dfn abstract-op lt="set-site">set the `Sec-Fetch-Site` header</dfn> for a [=request=] |r|:

<ol class="algorithm">
    1.  Assert: |r|'s [=request/url=] is a [=potentially trustworthy URL=].
    
    2.  Let |header| be a [=Structured Header=] whose value is a [=structured header/token=].

    3.  Set |header|'s value to `same-origin`.

    4.  For each |url| in |r|'s [=request/url list=]:

        1.  If |url| is [=same origin=] with |r|'s [=request/origin=], [=iteration/continue=].

        2.  If |r|'s [=request/origin=]'s [=registrable domain=] is not the same as |url|'s
            [=registrable domain=], set |header|'s value to `cross-site` and [=iteration/break=].

        3.  Set |header|'s value to `same-site`.

    5.  Let |value| be the result of [$serialize Structured Header|serializing$] |header|.

    6.  [=header list/Set=] &#96;<a http-header>`Sec-Fetch-Site`</a>&#96;/|value| in |r|'s
        [=request/header list=].
</ol>
</div>


The `Sec-Fetch-User` HTTP Request Header {#sec-fetch-user-header}
-----------------------------------------------------------------

The <dfn http-header export>`Sec-Fetch-User`</dfn> HTTP request header exposes whether or not a
[=request=] was [=triggered by user activation=]. It is a [=Structured Header=] whose value is a
[=structured header/boolean=]. [[!I-D.ietf-httpbis-header-structure]] Its ABNF is:

```
Sec-Fetch-User = sh-boolean
```

<div algorithm="set `Sec-Fetch-User`">
To <dfn abstract-op lt="set-user">set the `Sec-Fetch-User` header</dfn> for a [=request=] |r|:

<ol class="algorithm">
    1.  Assert: |r|'s [=request/url=] is a [=potentially trustworthy URL=].
    
    2.  Let |header| be a [=Structured Header=] whose value is a [=structured header/token=].

    3.  Set |header|'s value to `true`, if |r| was [=triggered by user activation=], and `false`
        otherwise.

        ISSUE: We need to pass this information into Fetch during HTML's navigation algorithm.

    4.  Let |value| be the result of [$serialize Structured Header|serializing$] |header|.

    5.  [=header list/Set=] &#96;<a http-header>`Sec-Fetch-User`</a>&#96;/|value| in |r|'s
        [=request/header list=].
</ol>
</div>


Integration with Fetch {#fetch-integration}
===========================================

<div algorithm="set fetch metadata headers">
To <dfn abstract-op export>set the Fetch metadata headers for a request</dfn>, given [=request=] |r|:

<ol class="algorithm">
    1.  If |r|'s [=request/url=] is not an [=potentially trustworthy URL=], return.

    2.  <a abstract-op lt='set-dest'>Set the `Sec-Fetch-Dest` header</a> for |r|.

    3.  <a abstract-op lt='set-mode'>Set the `Sec-Fetch-Mode` header</a> for |r|.

    4.  <a abstract-op lt='set-site'>Set the `Sec-Fetch-Site` header</a> for |r|.

    5.  <a abstract-op lt='set-user'>Set the `Sec-Fetch-User` header</a> for |r|.
</ol>
</div>

Fetch will call into the algorithm above from within its [=main fetch=] algorithm. Please consult
that specification for integration details [[!FETCH]].

ISSUE: Monkey patching! I should file a bug.

Security and Privacy Considerations {#sec-priv-considerations}
==============================================================

Redirects {#redirects}
----------------------

The user agent will send a <a http-header>`Sec-Fetch-Site`</a> header along with each request in a
redirect chain. The header's value will shift in the presence of cross-origin or cross-site
redirection in order to mitigate confusion.

The algorithm to <a abstract-op lt='set-site'>set the `Sec-Fetch-Site` header</a> walks the [=request=]'s entire
[=request/url list=], and will send `cross-site` if any URL in the list is cross-site to the
request's [=request/current url=], `same-site` only if all URLs in the list are same-site with the
request's [=request/current url=], and `same-origin` only if all URLs in the list are same-origin
with the request's [=request/current url=].

For example, if `https://example.com/` requests `https://example.com/redirect`, the initial
request's `Sec-Fetch-Site` value would be `same-origin`. If that response redirected to
`https://subdomain.example.com/redirect`, that request's `Sec-Fetch-Site` value would be
`same-site` (as `https://subdomain.example.com/` and `https://example.com/` have the same
registrable domain). If that response redirected to `https://example.net/redirect`, that
request's `Sec-Fetch-Site` value would be `cross-site` (as `https://example.net/` is not
same-site with `https://example.com/` and `https://subdomain.example.com/`). If that response
redirects all the way back to `https://example.com/`, the final request's `Sec-Fetch-Site`
value would still be `cross-site` (as the redirect chain includes `https://example.net/`, which is
still not same-site with the other URLs.

The `Sec-` Prefix {#sec-prefix}
-------------------------------

Each of the headers defined in this document is prefixed with `Sec-`, which makes them all
[=forbidden header names=], and therefore unmodifiable from JavaScript. This will prevent
malicious websites from convincing user agents to send forged metadata along with requests,
which should give sites a bit more confidence in their ability to respond reasonably to
the advertised information.

Deployment Considerations {#deployment-considerations}
======================================================

Vary {#vary}
------------

If a given endpoint's response depends upon the values the client delivers in a
[=Fetch metadata header=], developers should be careful to include an appropriate `Vary` header
[[RFC7231]], in order to ensure that caches handle the response appropriately. For example,
`Vary: Accept-Encoding, Sec-Fetch-Site`.

Header Bloat {#bloat}
---------------------

An earlier version of this document defined a single `Sec-Metadata` header, whose contents were
a dictionary. Subsequent discussion (as well as Mark Nottingham's excellent
[[mnot-designing-headers]]) shifted the design away from a single dictionary to a series of simple
headers, each of which contains only a single token. This design should perform significantly better
under HTTP's current HPACK compression algorithms.

Further discussion on the topic can be found on the review thread in
[w3ctag/design-reviews#280](https://github.com/w3ctag/design-reviews/issues/280).

IANA Considerations {#iana}
===========================

The permanent message header field registry should be updated with the following registrations for
[=Fetch metadata headers=]: [[!RFC3864]]

`Sec-Fetch-Dest` Registration {#sec-fetc-dest-reg}
-----------------------------

:   Header field name
::  Sec-Fetch-Dest
:   Applicable protocol
::  http
:   Status
::  standard
:   Author/Change controller
::  Me
:   Specification document
::  This specification (See [[#sec-fetch-dest-header]])

`Sec-Fetch-Mode` Registration {#sec-fetch-mode-reg}
-----------------------------

:   Header field name
::  Sec-Fetch-Mode
:   Applicable protocol
::  http
:   Status
::  standard
:   Author/Change controller
::  Me
:   Specification document
::  This specification (See [[#sec-fetch-mode-header]])

`Sec-Fetch-Site` Registration {#sec-fetch-site-reg}
-----------------------------

:   Header field name
::  Sec-Fetch-Site
:   Applicable protocol
::  http
:   Status
::  standard
:   Author/Change controller
::  Me
:   Specification document
::  This specification (See [[#sec-fetch-site-header]])

`Sec-Fetch-User` Registration {#sec-fetch-user-reg}
-----------------------------

:   Header field name
::  Sec-Fetch-User
:   Applicable protocol
::  http
:   Status
::  standard
:   Author/Change controller
::  Me
:   Specification document
::  This specification (See [[#sec-fetch-user-header]])