id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31823	Add Support for Fetch Metadata Request Headers	meggles711	meggles711	"I would like to implement Fetch Metadata Request Headers as a new security feature in Django.


== **What are Fetch Metadata Request Headers?**
Fetch metadata request headers are a relatively new security feature used to protect against cross-origin request attacks like CSRF. Browsers that support them provide request origin information to the web server inside headers with every request. This information includes what site is making the request, the mode or type of the request, and the destination of the request. The information provided in the fetch metadata request headers can be used to create a resource isolation policy that protects web application users from cross-origin attacks.



== **Proposed Changes to Django** 
New checks should be added to the CSRF middleware. Currently the middleware will check the referer header as one method of determining request validity. When the fetch metadata request headers are set, these should be used for resource isolation checks instead. Otherwise, the policy will fallback on validating with the referer header. 

If the fetch metadata headers are set, this resource isolation policy is followed:

Same-site and browser-initiated requests are allowed
Top level navigation (HTTP GET) is allowed
Developer defined endpoints that are meant to serve cross-site traffic are allowed
Reject all other requests

After this policy is followed CSRF processing will continue as normal.

**Please provide me some feedback on this implementation plan and let me know if you would like to see this new security feature in Django.**
"	New feature	assigned	CSRF	dev	Normal		CSRF, Fetch, headers		Someday/Maybe	0	0	0	0	0	0