Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider enabling Sec-Fetch-Dest. #136

Closed
mikewest opened this issue Apr 1, 2019 · 7 comments
Closed

Consider enabling Sec-Fetch-Dest. #136

mikewest opened this issue Apr 1, 2019 · 7 comments
Assignees

Comments

@mikewest
Copy link

mikewest commented Apr 1, 2019

The Sec-Fetch-Dest header exposes the "destination" of a request, which can be quite useful in tracking down things associated with particular kinds of requests that aren't otherwise distinguishable by the Accept header (script loads, for instance). While we're debating whether it actually produces a reasonable security boundary in w3c/webappsec-fetch-metadata#16, it seems like it would produce some interesting data in the archive that would enable us to make finer-grained decisions about things related to particular request types.

For instance, I'd love to figure out which <script> requests have unreasonable MIME types. So I can block them by default. :)

The feature can be enabled via Chromium's SecMetadata feature flag.

WDYT?

@rviscomi
Copy link
Member

rviscomi commented Apr 1, 2019

I'm generally in favor of improving our telemetry.

@pmeenan is this something you can implement in the WPT agents? and is this a change that can take effect for most of the April tests or would it have to wait until May?

@rviscomi
Copy link
Member

🛎 @pmeenan ?

@pmeenan
Copy link
Member

pmeenan commented Apr 25, 2019

Sorry, took me a bit to see how to turn on the features through the command-line (was easier than I thought). Testing it now.

@pmeenan
Copy link
Member

pmeenan commented Apr 25, 2019

Just enabled it by default for WebPageTest. It will be available on the public instance over the next hour and will be enabled for the May crawl. Here is an example from my dev environment: https://www.webpagetest.org/result/190425_TxYG_470cd369d8110c606538d6962d73248b/1/details/#step1_request2

@rviscomi
Copy link
Member

Great thanks for looking into it!

@mikewest
Copy link
Author

Thank you both! This is enabling some interesting analysis in whatwg/html#3255 (comment) and elsewhere. :)

@pmeenan
Copy link
Member

pmeenan commented May 28, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants