Sec-Metadata `cause' field is wrong for direct user-initiated navigations |
|||||
Issue descriptionChrome Version : 69.0.3497.12 What steps will reproduce the problem? 1. Navigate to https://example.org by entering the URL in the address bar or clicking on a bookmark. What is the expected result? The `Sec-Metadata' request header value should set `cause' to "user-activated"; given that no site initiated the navigation perhaps the `site' field should be omitted? (I'm not entirely sure about that) What happens instead of that? Sec-Metadata: cause="forced", destination="document", target="top-level", site="cross-site" This could be a problem for sites which implement restrictions on navigation via Sec-Metadata because they might reject (presumably trusted) address bar navigations as forced cross-site loads.
,
Jul 30
,
Jul 30
Sorry, I don't think the screencast has anything to do with this bug -- but it's okay, I'm fairly sure Mike understands the underlying issue.
,
Jul 30
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 31
aaj@, Could you please let us know the clear steps/screencast where exactly issue persists in example.com URL to reproduce the issue from TE End. Thanks in advance.!
,
Aug 2
,
Aug 14
,
Aug 28
BTW, the same thing happens on a hard refresh of a page (via Ctrl-R) -- the navigation request sets site="cross-site". I wonder if there is any benefit to adding a different `site' value to distinguish user-initiated navigations (address bar, bookmarklet, etc.) from web-initiated ones, though I guess the increased complexity would be a drawback. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by phanindra.mandapaka@chromium.org
, Jul 30Labels: Needs-Feedback Triaged-ET