{"id":2765,"date":"2021-07-12T01:24:24","date_gmt":"2021-07-12T08:24:24","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2765"},"modified":"2021-07-12T01:24:24","modified_gmt":"2021-07-12T08:24:24","slug":"firefox-90-supports-fetch-metadata-request-headers","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/","title":{"rendered":"Firefox 90 supports Fetch Metadata Request Headers"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p>We are pleased to announce that Firefox 90 will support <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers#fetch_metadata_request_headers\">Fetch Metadata Request Headers<\/a> which allows web applications to protect themselves and their users against various cross-origin threats like (a) cross-site request forgery (<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Types_of_attacks\">CSRF<\/a>), (b) cross-site leaks (<a href=\"https:\/\/xsleaks.dev\/\">XS-Leaks<\/a>), and (c) speculative cross-site execution side channel (<a href=\"https:\/\/meltdownattack.com\/\">Spectre<\/a>) attacks.<\/p>\n<p>&nbsp;<\/p>\n<h3>Cross-site attacks on Web Applications<\/h3>\n<p>The fundamental security problem underlying cross-site attacks is that the web in its open nature does not allow web application servers to easily distinguish between requests originating from its own application or originating from a malicious (<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy\">cross-site<\/a>) application, potentially opened in a different browser tab.<\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_2766\" style=\"width: 2570px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg\"><img aria-describedby=\"caption-attachment-2766\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-2766 size-full\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg\" alt=\"\" width=\"2560\" height=\"1028\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg 2560w, https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-300x120.jpg 300w, https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-600x241.jpg 600w, https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-768x308.jpg 768w, https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-1536x617.jpg 1536w, https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-2048x822.jpg 2048w, https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-1000x401.jpg 1000w\" sizes=\"(max-width: 2560px) 100vw, 2560px\" \/><\/a><p id=\"caption-attachment-2766\" class=\"wp-caption-text\">Firefox 90 sending Fetch Metadata (Sec-Fetch-*) Request Headers which allows web application servers to protect themselves against all sorts of cross site attacks.<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>For example, as illustrated in the Figure above, let\u2019s assume you log into your banking site hosted at <a href=\"https:\/\/banking.com\">https:\/\/banking.com<\/a> and you conduct some online banking activities. Simultaneously, an attacker controlled website opened in a different browser tab and illustread as <a href=\"https:\/\/attacker.com\">https:\/\/attacker.com<\/a> performs some malicious actions.<\/p>\n<p>Innocently, you continue to interact with your banking site which ultimately causes the banking web server to receive some actions. Unfortunately the banking web server has little to no control of who initiated the action, you or the attacker in the malicious website in the other tab. Hence the banking server or generally web application servers will most likely simply execute any action received and allow the attack to launch.<\/p>\n<p>&nbsp;<\/p>\n<h3>Introducing Fetch Metadata<\/h3>\n<p>As illustrated in the attack scenario above, the HTTP request header <code>Sec-Fetch-Site<\/code> allows the web application server to distinguish between a <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy\">same-origin<\/a> request from the corresponding web application and a <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy\">cross-origin<\/a> request from an attacker-controlled website.<\/p>\n<p>Inspecting <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers#fetch_metadata_request_headers\">Sec-Fetch-* Headers<\/a> ultimately allows the web application server to reject or also ignore malicious requests because of the additional context provided by the Sec-Fetch-* header family. In total there are four different Sec-Fetch-* headers: <code>Dest<\/code>, <code>Mode<\/code>, <code>Site<\/code> and <code>User<\/code> which together allow web applications to protect themselves and their end users against the previously mentioned cross-site attacks.<\/p>\n<p>&nbsp;<\/p>\n<h3>Going Forward<\/h3>\n<p>While Firefox will soon ship with it\u2019s new <a href=\"https:\/\/hacks.mozilla.org\/2021\/05\/introducing-firefox-new-site-isolation-security-architecture\/\">Site Isolation Security Architecture<\/a> which will combat a few of the above issues, we recommend that web applications make use of the newly supported Fetch Metadata headers which provide a defense in depth mechanism for applications of all sorts.<\/p>\n<p>As a Firefox user, you can benefit from the additionally provided headers as soon as your Firefox auto-updates to version 90. If you aren\u2019t a Firefox user yet, <a href=\"https:\/\/www.mozilla.org\/firefox\/new\/\">you can download the latest version here<\/a> to start benefiting from all the ways that Firefox works to protect you when browsing the internet.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; We are pleased to announce that Firefox 90 will support Fetch Metadata Request Headers which allows web applications to protect themselves and their users against various cross-origin threats like &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/\">Read more<\/a><\/p>\n","protected":false},"author":1845,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47,69],"tags":[],"coauthors":[454652,280776],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Firefox 90 supports Fetch Metadata Request Headers - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Niklas G\u00f6gge, Christoph Kerschbaumer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/\",\"name\":\"Firefox 90 supports Fetch Metadata Request Headers - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg\",\"datePublished\":\"2021-07-12T08:24:24+00:00\",\"dateModified\":\"2021-07-12T08:24:24+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/b0025300d863983a03f459ba9fe53da0\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg\",\"width\":2560,\"height\":1028},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Firefox 90 supports Fetch Metadata Request Headers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/b0025300d863983a03f459ba9fe53da0\",\"name\":\"Niklas G\u00f6gge\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a3f8d17d79c9c18a3bc1536014d61fcd\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d303da40a67c180dce37151fbbf9d5da?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d303da40a67c180dce37151fbbf9d5da?s=96&d=identicon&r=g\",\"caption\":\"Niklas G\u00f6gge\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Firefox 90 supports Fetch Metadata Request Headers - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/","twitter_misc":{"Written by":"Niklas G\u00f6gge, Christoph Kerschbaumer","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/","name":"Firefox 90 supports Fetch Metadata Request Headers - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg","datePublished":"2021-07-12T08:24:24+00:00","dateModified":"2021-07-12T08:24:24+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/b0025300d863983a03f459ba9fe53da0"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/07\/fetch_metadata-scaled.jpg","width":2560,"height":1028},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/07\/12\/firefox-90-supports-fetch-metadata-request-headers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Firefox 90 supports Fetch Metadata Request Headers"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/b0025300d863983a03f459ba9fe53da0","name":"Niklas G\u00f6gge","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a3f8d17d79c9c18a3bc1536014d61fcd","url":"https:\/\/secure.gravatar.com\/avatar\/d303da40a67c180dce37151fbbf9d5da?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d303da40a67c180dce37151fbbf9d5da?s=96&d=identicon&r=g","caption":"Niklas G\u00f6gge"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2765"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1845"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2765"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2765\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2765"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2765"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2765"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2765"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}