Intent to Prototype: Frame Ancestor Headers
Sam LeDoux
Contact emails
sle...@chromium.orgExplainer
https://github.com/explainers-by-googlers/frame-ancestor-headersSpecification
NoneSummary
Frame Ancestor Headers would expose information about the relationship between a request's ancestor frames and that request's target by adding two new HTTP request headers, `Sec-Fetch-Frame-Top` and `Sec-Fetch-Frame-Ancestors`. This should support developers' understanding of the circumstances in which they may have access to unpartitioned cookies, and the ways in which their resources may be partitioned.
Blink component
Blink>SecurityFeature>FetchMetadataMotivation
Currently, there is no signal on the web platform that comprehensively indicates the relationship between a request's destination and its ancestor frames. This information is important for sites to understand how cookies may be partitioned on a request and why a request may be autogranted storage access permissions. This feature offers two new headers as signals, `Sec-Fetch-Frame-Top` and `Sec-Fetch-Frame-Ancestors`, whose values will indicate whether a request's destination is `same-origin`, `same-site`, or `cross-site` to its top frame and all of its ancestor frames respectively.
Initial public proposal
https://github.com/w3c/webappsec-fetch-metadata/issues/56TAG review
NoneTAG review status
PendingRisks
Interoperability and Compatibility
None
While we have not filed formal browser positions yet, a constructive discussion with both Mozilla and Apple is happening at https://github.com/w3c/webappsec-fetch-metadata/pull/89.
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:
WebView application risks
None
Debuggability
None
Is this feature fully tested by web-platform-tests?
NoFlag name on about://flags
NoneFinch feature name
NoneNon-finch justification
NoneRequires code in //chrome?
FalseTracking bug
https://g-issues.chromium.org/issues/398224102Launch bug
https://launch.corp.google.com/launch/4347302Estimated milestones
No milestones specified