Intent to ship: Fetch Metadata Request Headers

[Niklas Gögge]

As of Firefox 90 we intend to turn Fetch Metadata Request Headers on by default on all platforms. It has been developed behind the dom.security.secFetch.enabled preference. Chrome, Opera and Edge have already shipped this feature.
Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1695911

A fetch metadata request header is a HTTP request header that provides additional information about the context the request originated from. These header names are prefixed with Sec- and thus they are forbidden header names so headers can not be modified from JavaScript.
Fetch metadata request headers provide the server with additional information about where the request originated from, enabling it to ignore potentially malicious requests.

Standard: https://www.w3.org/TR/fetch-metadata/
web-platform-tests: https://github.com/web-platform-tests/wpt/tree/master/fetch/metadata