Description:
Chrome extensions can use the chrome.webRequest API to to intercept, block, or modify web requests in-flight. The events expose basic information about the request such as the URL, method, frame loaded in, tab loaded on, etc to an extension. One thing that isn’t currently exposed is the origin of where the request was initiated from. This is tracked internally within Chrome for requests for same-origin checks. This is internally accessible as URLRequest::initiator().
Use case:
This will be used to identify requests to sensitive resources from untrusted origins. Additionally, in high confidence situations these anomalous requests could be blocked. There are a number of security & privacy related extensions that could make use of this data.
Motivation:
Enterprises regularly see web related attacks against their infrastructure. Most enterprises use off the shelf software or appliances which they can't modify to add additional web security (isolate header, anti-framing, HSTS, etc.). Tracking the initiator of a request, we can block requests to enterprise web resources from the rest of the internet.
Existing workarounds:
No existing reliable workarounds
Comment 1 by bugdroid1@chromium.org
, Sep 26 2017