New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 868286 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
mkwst@chromium.org
jmukthavaram@chromium.org
phanindra.mandapaka@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug

Blocking:
issue 843478



Sign in to add a comment

Sec-Metadata `cause' field is wrong for direct user-initiated navigations

Project Member Reported by a...@google.com, Jul 27 
Chrome Version       : 69.0.3497.12

What steps will reproduce the problem?
1. Navigate to https://example.org by entering the URL in the address bar or clicking on a bookmark.

What is the expected result?
The `Sec-Metadata' request header value should set `cause' to "user-activated"; given that no site initiated the navigation perhaps the `site' field should be omitted? (I'm not entirely sure about that)

What happens instead of that?
Sec-Metadata: cause="forced", destination="document", target="top-level", site="cross-site"

This could be a problem for sites which implement restrictions on navigation via Sec-Metadata because they might reject (presumably trusted) address bar navigations as forced cross-site loads.

Comment 1 by phanindra.mandapaka@chromium.org, Jul 30

Cc: phanindra.mandapaka@chromium.org
Labels: Needs-Feedback Triaged-ET
Tested this on reported chrome 69.0.3497.12 using Ubuntu 17.10.Attached screen-cast for reference.

@Reporter: As we are not sure about this issue requesting you to review the screen-cast and provide specific/proper steps for better triaging it.

Thanks..!

Comment 2 by phanindra.mandapaka@chromium.org, Jul 30

868286.webm
6.4 MB View Download

Comment 3 by a...@google.com, Jul 30 

Sorry, I don't think the screencast has anything to do with this bug -- but it's okay, I'm fairly sure Mike understands the underlying issue.
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 30

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by jmukthavaram@chromium.org, Jul 31

Cc: jmukthavaram@chromium.org
Labels: Needs-Feedback
aaj@,
Could you please let us know the clear steps/screencast where exactly issue persists in example.com URL to reproduce the issue from TE End.
Thanks in advance.!

Comment 6 by mkwst@chromium.org, Aug 2

Cc: mkwst@chromium.org
Labels: -Needs-Feedback OS-Android OS-Chrome OS-Mac OS-Windows
Owner: ----
Status: Available (was: Unconfirmed)

Comment 7 by mkwst@chromium.org, Aug 14

Blocking: 843478
Labels: allpublic

Comment 8 by a...@google.com, Aug 28 

BTW, the same thing happens on a hard refresh of a page (via Ctrl-R) -- the navigation request sets site="cross-site". I wonder if there is any benefit to adding a different `site' value to distinguish user-initiated navigations (address bar, bookmarklet, etc.) from web-initiated ones, though I guess the increased complexity would be a drawback.

Sign in to add a comment