Extra layer of security helps protect against CSRF and XS-Leak attacks

Firefox becomes latest browser to support Fetch Metadata request headers

Firefox now supports Fetch Metadata request headers, Mozilla has announced, further protecting users from a number of high-impact web attacks.

The new version of the popular browser, which was made available to all users today, is the latest to include the Google-developed privacy feature.

In total, Firefox 90 will feature four different headers – Dest, Mode, Site, and User – which together allow web applications to protect users against various cross-origin threats, including cross-site request forgery (CSRF), cross-site leaks (XS-Leaks), and Spectre-style side-channel attacks.

A blog post released today (July 13) contains more information about Mozilla’s implementation of the technology.


Fetch Metadata request headers were introduced in Chrome 76, which was released in July 2019.

INSIGHT What is Fetch Metadata? How to protect your web resources from information-stealing attacks

The headers provide web servers with extra security information that can help determine whether to block or allow requests.

They also allow a user to deploy a Resource Isolation Policy, a strong defense-in-depth mechanism.

This not only helps protect users from the potentially harmful attacks listed above, but can also help web servers to differentiate between cross-site and same-origin requests.

Read more of the latest browser security news

Fetch Metadata request headers are already available for Edge and Opera, which are also based on the open source Chromium framework.

To find out more about how Fetch Metadata request headers work, check out this interview with Lukas Weichselbaum, staff information security engineer at Google, who spoke to The Daily Swig about the technology.

DON’T FORGET TO READ Google checks rise of DOM XSS with Trusted Types