As of Firefox 90 we intend to turn Fetch Metadata Request Headers on by
default on all platforms. It has been developed behind the
dom.security.secFetch.enabled preference. Chrome, Opera and Edge have
already shipped this feature.
Bug to turn on by default:
https://bugzilla.mozilla.org/show_bug.cgi?id=1695911
A fetch metadata request header is a HTTP request header that
provides additional information about the context the request originated
from. These header names are prefixed with Sec- and thus they are
forbidden header names so headers can not be modified from JavaScript.
Fetch metadata request headers provide the server with additional
information about where the request originated from, enabling it to
ignore potentially malicious requests.
Standard:
https://www.w3.org/TR/fetch-metadata/
web-platform-tests:
https://github.com/web-platform-tests/wpt/tree/master/fetch/metadata