Sec-Fetch-Site
Baseline2023
Newly available
SinceMarch 2023,this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
TheSec-Fetch-Site
fetch metadata request headerindicates the relationship between a request initiator's origin and the origin of the requested resource.
In other words, this header tells a server whether a request for a resource is coming from the same origin, the same site, a different site, or is a "user initiated" request. The server can then use this information to decide if the request should be allowed.
Same-origin requests would usually be allowed by default, but what happens for requests from other origins may further depend on what resource is being requested, or information in otherFetch metadata request headers.By default, requests that are not accepted should be rejected with a403
response code.
Header type | Fetch Metadata Request Header |
---|---|
Forbidden header name | yes (prefixSec- ) |
CORS-safelisted request header | no |
Syntax
Sec-Fetch-Site: cross-site
Sec-Fetch-Site: same-origin
Sec-Fetch-Site: same-site
Sec-Fetch-Site: none
Directives
cross-site
-
The request initiator and the server hosting the resource have a different site (i.e. a request by "potentially-evil" for a resource at "example" ).
same-origin
-
The request initiator and the server hosting the resource have the sameorigin(same scheme, host and port).
same-site
-
The request initiator and the server hosting the resource have the samesite,including the scheme.
none
-
This request is a user-originated operation. For example: entering a URL into the address bar, opening a bookmark, or dragging-and-dropping a file into the browser window.
Examples
A fetch request tohttps://mysite.example/foo.json
originating from a web page onhttps://mysite.example
(with the same port) is a same-origin request.
The browser will generate theSec-Fetch-Site: same-origin
header as shown below, and the server will typically allow the request:
GET /foo.json
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
A fetch request to the same URL from another site, for examplepotentially-evil
,causes the browser to generate a different header (e.g.Sec-Fetch-Site: cross-site
), which the server can choose to accept or reject:
GET /foo.json
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Specifications
Specification |
---|
Fetch Metadata Request Headers #sec-fetch-site-header |
Browser compatibility
BCD tables only load in the browser
See also
-
Related headers
-
Protect your resources from web attacks with Fetch Metadata(web.dev)
-
Fetch Metadata Request Headers playground(secmetadata.appspot )