Closed Bug 1508292 Opened 3 years ago Closed 1 year ago

Implement Sec-Fetch-* (was: Sec-MetaData)

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox76 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Depends on 1 open bug, Regressed 1 open bug)

Details

(Keywords: dev-doc-needed, Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1508292: Implement Sec-Fetch-*. r=baku
47 bytes, text/x-phabricator-request
Details | Review 
We should consider implementing Sec-Metadata; for more info see:
https://github.com/mikewest/sec-metadata
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Summary: Implement Sec-MetaData → Implement Sec-Fetch-* (was: Sec-MetaData)
Assignee: nobody → tnguyen
Duplicate of this bug: 1574881
Depends on: 1595762
Depends on: 1596402
Assignee: tnguyen → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Depends on: 1621987

Sorry for the backout, my mistake, I've relanded the patch.

Flags: needinfo?(ckerschb)

https://hg.mozilla.org/mozilla-central/rev/5bcb1cba1a89

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox76: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Regressions: 1623400
Duplicate of this bug: 1586663
Regressions: 1624914

Hey, will there be follow up work regarding the regressions or will the pref be turned off by default?

Flags: needinfo?(ckerschb)

(In reply to Andrei Oprea [:andreio] from comment #9)

Hey, will there be follow up work regarding the regressions or will the pref be turned off by default?

The pref will remain false at least until we have resolved performance impact (Bug 1623053, Bug 1623850) and also have implemented the missing spec bits, which are Sec-Fetch-User (Bug 1621987).

Flags: needinfo?(ckerschb)
Depends on: 1628605
Regressions: 1627794

The Push regressions (bug 1623400) turned out to be our push server having an implementation limit on the number of headers it expected. Adding three additional Sec-Fetch- headers exceeded that limit by one. Maybe the other regressions are similar, especially on sites that work in Chrome so we know it's not specifically Sec-Fetch- (I believe Chrome sends slightly fewer/smaller headers than we do).

Depends on: 1648825
Depends on: 1647128
Blocks: 1695911
Regressions: 1703466
You need to log in before you can comment on or make changes to this bug.