# Contact emails
# Explainer
# Spec
# Summary
Fetch Metadata introduces 4 new HTTP request headers that send additional metadata about a request's provenance (is it cross-site, is it `no-cors`, etc) to the server in order to allow it to make security decisions which might mitigate some kinds of attacks based on timing the server's response (xsleaks and others).
This intent aims to ship 3 of those headers: `Sec-Fetch-Mode`, `Sec-Fetch-Site`, and `Sec-Fetch-User`. The fourth, `Sec-Fetch-Dist`
needs a little more discussion, so I'd like to leave our implementation behind a flag for the time being.
# Link to “Intent to Implement” blink-dev discussion https://groups.google.com/a/chromium.org/d/msg/blink-dev/tNwA_l_o9lc/5wug6BcmCQAJ
# Risks
## Interoperability and Compatibility
The biggest risk for deployment is that different browsers send different header values for the same kind of request. We're attempting to mitigate this risk with a reasonably robust test suite, and with recommendations in the spec for browser-specific features that are difficult to test via WPT (e.g. distinguishing users' typed navigation from page-controlled navigation).
Edge: No public signals
Safari: No public signals
## Ergonomics
I expect developers will use these metadata headers on the server side as another layer of defense in combination with client-side mechanisms like Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, and whichever headers we define next to provide more robust isolation. These are all shipping at different times in different browsers, but that seems fine, as each provides an independent layer which can be useful independently.
## Security
The feature exposes additional metadata about a given request, enabling servers to make informed decisions about the ways in which they respond. We believe it's security-positive in impact.
# Debuggability
These headers are discoverable in devtools, just like any other header.
# Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
# Tracking bug