Add considerations for extension contexts. (#76)

SHA: 17b4633 Reason: push, by @mikewest Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
w3c · Jul 20, 2021 · b0b32c4 · b0b32c4
1 parent 40e85ed
commit b0b32c4
Showing 1 changed file with 34 additions and 1 deletion.
diff --git a/index.html b/index.html
@@ -7,7 +7,7 @@
   <link href="https://www.w3.org/StyleSheets/TR/2016/W3C-WD" rel="stylesheet" type="text/css">
   <meta content="Bikeshed version bb6b91100, updated Mon Jul 12 16:52:37 2021 -0700" name="generator">
   <link href="https://www.w3.org/TR/fetch-metadata/" rel="canonical">
-  <meta content="c390bc2af0e8ce9ce5ea0c1ce97077c3e73344a0" name="document-revision">
+  <meta content="17b46334ba09170cb3eafb96e0efa4739815fee5" name="document-revision">
 <style>/* style-autolinks */
 
 .css.css, .property.property, .descriptor.descriptor {
@@ -360,6 +360,7 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
       <li><a href="#redirects"><span class="secno">4.1</span> <span class="content">Redirects</span></a>
       <li><a href="#sec-prefix"><span class="secno">4.2</span> <span class="content">The <code>Sec-</code> Prefix</span></a>
       <li><a href="#directly-user-initiated"><span class="secno">4.3</span> <span class="content">Directly User-Initiated Requests</span></a>
+      <li><a href="#extension-initiated"><span class="secno">4.4</span> <span class="content">Extension-Initiated Requests</span></a>
      </ol>
     <li>
      <a href="#deployment-considerations"><span class="secno">5</span> <span class="content">Deployment Considerations</span></a>
@@ -703,6 +704,31 @@ <h3 class="heading settled" data-level="4.3" id="directly-user-initiated"><span
 user agent’s bookmark bar, another app entirely, etc), then <code>Sec-Fetch-Site: none</code> may be
 appropriate.</p>
    </ul>
+   <h3 class="heading settled" data-level="4.4" id="extension-initiated"><span class="secno">4.4. </span><span class="content">Extension-Initiated Requests</span><a class="self-link" href="#extension-initiated"></a></h3>
+   <p>Some user agents support extensions which are capable of making requests, and which can be empowered
+beyond regular web content in order to give users more control over their web experience. While these
+are somewhat outside the scope of the web platform, user agents are encouraged to carefully consider
+how these requests are to be represented to servers. In general, it would be ideal for user agents to
+satisfy two goals:</p>
+   <ol>
+    <li data-md>
+     <p>Extensions without special privileges for a given site cannot cause requests that would bypass
+that site’s server-side Fetch Metadata logic.</p>
+    <li data-md>
+     <p>Developers can recognize extensions' requests so that they can be exempted from the server’s Fetch
+Metadata logic if it chooses to do so. This increases developers' ability to confidently deploy
+Fetch Metadata protections without undermining legitimate user interests.</p>
+   </ol>
+   <p>With these goals in mind, user agents are encouraged to implement the following behaviors:</p>
+   <ol>
+    <li data-md>
+     <p>If an extension does not have permission to access to a given URL, its requests to that URL could
+contain a <code>Sec-Fetch-Site</code> header whose value is <code>cross-site</code>, just as a normal web request would.
+If the extension does have access to a given URL, the <code>Sec-Fetch-Site</code> value could be <code>same-origin</code>.</p>
+    <li data-md>
+     <p>The <code>Origin</code> header could be included with outgoing requests from extension contexts, with an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#implementation-defined" id="ref-for-implementation-defined">implementation-defined</a> value that allows servers to distinguish extension-initiated requests
+from web-initiated requests.</p>
+   </ol>
    <h2 class="heading settled" data-level="5" id="deployment-considerations"><span class="secno">5. </span><span class="content">Deployment Considerations</span><a class="self-link" href="#deployment-considerations"></a></h2>
    <h3 class="heading settled" data-level="5.1" id="vary"><span class="secno">5.1. </span><span class="content">Vary</span><a class="self-link" href="#vary"></a></h3>
    <p>If a given endpoint’s response depends upon the values the client delivers in a <a data-link-type="dfn" href="#fetch-metadata-headers" id="ref-for-fetch-metadata-headers①">Fetch metadata header</a>, developers should be careful to include an appropriate <code>Vary</code> header <a data-link-type="biblio" href="#biblio-rfc7231">[RFC7231]</a>, in order to ensure that caches handle the response appropriately. For example, <code>Vary: Accept-Encoding, Sec-Fetch-Site</code>.</p>
@@ -992,6 +1018,12 @@ <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="c
     <li><a href="#ref-for-iteration-continue">2.3. The Sec-Fetch-Site HTTP Request Header</a>
    </ul>
   </aside>
+  <aside class="dfn-panel" data-for="term-for-implementation-defined">
+   <a href="https://infra.spec.whatwg.org/#implementation-defined">https://infra.spec.whatwg.org/#implementation-defined</a><b>Referenced in:</b>
+   <ul>
+    <li><a href="#ref-for-implementation-defined">4.4. Extension-Initiated Requests</a>
+   </ul>
+  </aside>
   <aside class="dfn-panel" data-for="term-for-potentially-trustworthy-url">
    <a href="https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url">https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url</a><b>Referenced in:</b>
    <ul>
@@ -1047,6 +1079,7 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
     <ul>
      <li><span class="dfn-paneled" id="term-for-iteration-break">break</span>
      <li><span class="dfn-paneled" id="term-for-iteration-continue">continue</span>
+     <li><span class="dfn-paneled" id="term-for-implementation-defined">implementation-defined</span>
     </ul>
    <li>
     <a data-link-type="biblio">[secure-contexts]</a> defines the following terms: