Skip to content

Commit 8f469d9

Browse files
mikewestmikewest
authored
Add Sec-Fetch-User to Vary recommendations.
Closes w3c#12.
1 parent 44b681d commit 8f469d9

File tree

1 file changed

+12
-11
lines changed

1 file changed

+12
-11
lines changed

index.bs

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -266,8 +266,9 @@ seem generally applicable:
266266
1. Sites should use Fetch Metadata to make good decisions about when to serve resources, as
267267
described in [[resource-isolation-policy]]. In order to ensure that decision sticks, servers
268268
should explain its decision to the browser by sending a <a http-header>`Vary`</a> header
269-
containing `Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site`. This ensures that the server has
270-
a chance to make different decisions for requests which will be *used* differently.
269+
containing `Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User`. This ensures that
270+
the server has a chance to make different decisions for requests which will be *used*
271+
differently.
271272

272273
2. Subresources should opt-out of MIME type sniffing by sending an
273274
<a http-header>`X-Content-Type-Options`</a> header with a value of `nosniff`. This increases the
@@ -302,7 +303,7 @@ few times below:
302303
<pre highlight="http">
303304
Content-Security-Policy: sandbox
304305
Cross-Origin-Opener-Policy: same-origin
305-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
306+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
306307
X-Content-Type-Options: nosniff
307308
X-Frame-Options: DENY
308309
</pre>
@@ -358,7 +359,7 @@ in question. A few cases are well worth considering:
358359
<strong>Cross-Origin-Resource-Policy: same-origin</strong>
359360
Content-Security-Policy: sandbox
360361
Cross-Origin-Opener-Policy: same-origin
361-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
362+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
362363
X-Content-Type-Options: nosniff
363364
X-Frame-Options: DENY
364365
</pre>
@@ -386,7 +387,7 @@ in question. A few cases are well worth considering:
386387
Cross-Origin-Resource-Policy: same-origin</strong>
387388
Content-Security-Policy: sandbox
388389
Cross-Origin-Opener-Policy: same-origin
389-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
390+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
390391
X-Content-Type-Options: nosniff
391392
X-Frame-Options: DENY
392393
</pre>
@@ -412,7 +413,7 @@ in question. A few cases are well worth considering:
412413
<strong>Cross-Origin-Resource-Policy: cross-origin</strong>
413414
Content-Security-Policy: sandbox
414415
Cross-Origin-Opener-Policy: same-origin
415-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
416+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
416417
X-Content-Type-Options: nosniff
417418
X-Frame-Options: DENY
418419
</pre>
@@ -451,7 +452,7 @@ headers could be appropriate:
451452
<pre highlight="http">
452453
Cross-Origin-Opener-Policy: same-origin
453454
Cross-Origin-Resource-Policy: same-origin
454-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
455+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
455456
X-Content-Type-Options: nosniff
456457
X-Frame-Options: SAMEORIGIN
457458
</pre>
@@ -479,7 +480,7 @@ like the following set of response headers might be appropriate:
479480
<pre highlight="http">
480481
Cross-Origin-Opener-Policy: same-origin-allow-popups
481482
Cross-Origin-Resource-Policy: same-origin
482-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
483+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
483484
X-Content-Type-Options: nosniff
484485
X-Frame-Options: SAMEORIGIN
485486
</pre>
@@ -506,7 +507,7 @@ or fetched cross-origin. Three scenarios are worth considering:
506507
<pre highlight="http">
507508
Cross-Origin-Resource-Policy: same-origin
508509
<strong>Cross-Origin-Opener-Policy: unsafe-none</strong>
509-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
510+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
510511
X-Content-Type-Options: nosniff
511512
X-Frame-Options: SAMEORIGIN
512513
</pre>
@@ -521,7 +522,7 @@ or fetched cross-origin. Three scenarios are worth considering:
521522
<pre highlight="http">
522523
Cross-Origin-Resource-Policy: same-origin
523524
Cross-Origin-Opener-Policy: same-origin
524-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
525+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
525526
X-Content-Type-Options: nosniff
526527
<strong>X-Frame-Options: ALLOWALL</strong>
527528
</pre>
@@ -549,7 +550,7 @@ or fetched cross-origin. Three scenarios are worth considering:
549550
<pre class="lang-http">
550551
Cross-Origin-Resource-Policy: same-origin
551552
<strong>Cross-Origin-Opener-Policy: unsafe-none</strong>
552-
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
553+
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
553554
X-Content-Type-Options: nosniff
554555
<strong>X-Frame-Options: ALLOWALL</strong>
555556
</pre>

0 commit comments

Comments
 (0)