[Webkit-unassigned] [Bug 260284] New: Incorrect Sec-Fetch-Site values on sandboxed iframes

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=260284

            Bug ID: 260284
           Summary: Incorrect Sec-Fetch-Site values on sandboxed iframes
           Product: WebKit
           Version: Safari 16
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jerryzz at google.com

The Sec-Fetch-Site header is supposed to reflect the relationship between the origin of request's initiator and the origin of it's target. (https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header)

However, the current behavior seems to be incorrect for sandboxed iframes where a same-origin url will result in a Sec-Fetch-Site header with value "cross-site". i.e. 

Reproduction steps:
Visit https://polar-purrfect-pangolin.glitch.me/sandboxediframe.html which contains:

<iframe src="https://polar-purrfect-pangolin.glitch.me/" sandbox></iframe>

Expected behavior:
The Sec-Fetch-Site header of the sandboxed iframe request has value "same-origin"

Actual behavior:
The Sec-Fetch-Site header of the sandboxed iframe request has value "cross-site"

https://bugs.webkit.org/show_bug.cgi?id=256472 may be related.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230816/79ecbd39/attachment.htm>