Introduces a new set of HTTP request headers, including `Sec-Fetch-Site`, `Sec-Fetch-Mode` and `Sec-Fetch-User`, that sends additional metadata about a request's provenance (is it cross-site, is it triggered from <img>, etc.) to the server to allow it to make security decisions which might mitigate some kinds of attacks based on timing the server's response (xsleaks and others).


Specification link

Specification being incubated in a Community Group

Status in Chromium


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • Positive


Intent to Prototype url

Intent to Prototype thread


For example, it's unlikely that a bank's "Transfer all money" endpoint would be referenced from an img tag, and likewise unlikely that is going to be making any legitimate requests whatsoever. Ideally, the server could reject these requests a priori rather than deliver them to the application backend.

Last updated on 2021-12-13