https://blog.mozilla.org/security/2021/07/12/firefox-90-supports-fetch-metadata-request-headers/ Mozilla Menu * Internet Health * Technology * Give Download Firefox Mozilla Security Blog * Search this site [ ] Search Categories: Announcements Security Firefox 90 supports Fetch Metadata Request Headers Niklas Gogge and Christoph Kerschbaumer July 12, 2021 We are pleased to announce that Firefox 90 will support Fetch Metadata Request Headers which allows web applications to protect themselves and their users against various cross-origin threats like (a) cross-site request forgery (CSRF), (b) cross-site leaks (XS-Leaks ), and (c) speculative cross-site execution side channel (Spectre) attacks. Cross-site attacks on Web Applications The fundamental security problem underlying cross-site attacks is that the web in its open nature does not allow web application servers to easily distinguish between requests originating from its own application or originating from a malicious (cross-site) application, potentially opened in a different browser tab. [fetch_metadata-scaled] Firefox 90 sending Fetch Metadata (Sec-Fetch-*) Request Headers which allows web application servers to protect themselves against all sorts of cross site attacks. For example, as illustrated in the Figure above, let's assume you log into your banking site hosted at https://banking.com and you conduct some online banking activities. Simultaneously, an attacker controlled website opened in a different browser tab and illustread as https://attacker.com performs some malicious actions. Innocently, you continue to interact with your banking site which ultimately causes the banking web server to receive some actions. Unfortunately the banking web server has little to no control of who initiated the action, you or the attacker in the malicious website in the other tab. Hence the banking server or generally web application servers will most likely simply execute any action received and allow the attack to launch. Introducing Fetch Metadata As illustrated in the attack scenario above, the HTTP request header Sec-Fetch-Site allows the web application server to distinguish between a same-origin request from the corresponding web application and a cross-origin request from an attacker-controlled website. Inspecting Sec-Fetch-* Headers ultimately allows the web application server to reject or also ignore malicious requests because of the additional context provided by the Sec-Fetch-* header family. In total there are four different Sec-Fetch-* headers: Dest, Mode, Site and User which together allow web applications to protect themselves and their end users against the previously mentioned cross-site attacks. Going Forward While Firefox will soon ship with it's new Site Isolation Security Architecture which will combat a few of the above issues, we recommend that web applications make use of the newly supported Fetch Metadata headers which provide a defense in depth mechanism for applications of all sorts. As a Firefox user, you can benefit from the additionally provided headers as soon as your Firefox auto-updates to version 90. If you aren't a Firefox user yet, you can download the latest version here to start benefiting from all the ways that Firefox works to protect you when browsing the internet. Browse fast. Browse free. Download Firefox Previous article Updating GPG key for signing Firefox Releases June 2, 2021 More articles in "Announcements" * Updating GPG key for signing Firefox Releases June 2, 2021 * Introducing Site Isolation in Firefox May 18, 2021 * Firefox 83 introduces HTTPS-Only Mode November 17, 2020 * Multi-Account Containers Add-on Sync Feature February 6, 2020 * Hardening Firefox against Injection Attacks October 14, 2019 Recent articles * Updating GPG key for signing Firefox Releases June 2, 2021 * Firefox 89 blocks cross-site cookie tracking by default in private browsing June 1, 2021 * Updates to Firefox's Breach Alert Policy May 25, 2021 * Introducing Site Isolation in Firefox May 18, 2021 * Beware of Applications Misusing Root Stores May 10, 2021 Keep up with all things Firefox. Your e-mail address [ ] Country [- select - ] Language [English ] (*) HTML ( ) Text [ ] I'm okay with Mozilla handling my info as explained in this Privacy Policy. Sign up now We will only send you Mozilla-related information. Thanks! If you haven't previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an e-mail from us. Mozilla Mozilla * About * Contact Us * Donate * + Twitter (@mozilla) + Instagram (@mozillagram) Firefox * Download Firefox * Desktop * Mobile * Features * Beta, Nightly, Developer Edition * + Twitter (@firefox) + YouTube (firefoxchannel) * Website Privacy Notice * Cookies * Legal Visit Mozilla Corporation's not-for-profit parent, the Mozilla Foundation. Portions of this content are (c)1998-2021 by individual contributors. Content available under a Creative Commons license.