Chrome Version       : 70.0.3510.0
OS Version: 
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari: N/A
    Firefox: N/A
    IE/Edge: N/A

What steps will reproduce the problem?
1. create a page which embeds a resource whose src points to an open redirect which redirects to crossorigin/same-site endpoint
 (e.g. <img src="/redirect?location=https://crossorigin.com/image.img"/>
  or  <img src="/redirect?location=https://same-site.com/image.img"/>)
2. Observe Sec-Metadata headers being sent in the developer console, especially the final resource request.
3. If you have web platform tests suite installed locally, you can serve the attached file (./wpt serve) and run redirect test (which uses existing redirect) to inspect the Sec-Metadata header behaviour.

What is the expected result?
The Sec-Metadata header site value should be 'cross-site' in the first case and 'same-site' in the second case

What happens instead of that?
the site value is 'same-origin' (probably inherited from the first redirect)

Please provide any additional information below. Attach a screenshot if
possible.
Screenshot of Chrome developer console attached.

UserAgentString: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3510.0 Safari/537.36



 

Deleted: cross-origin-with-same-origin-secmetadata.png 170 KB

	cross-origin-with-same-origin-secmetadata.png 170 KB View Download

Deleted: same-origin-redirect.tentative.https.sub.html 3.5 KB

same-origin-redirect.tentative.https.sub.html 3.5 KB View Download