Fix Sec-Fetch-Site header (#37277)

While working on #37209 I discovered that the header was computed
incorrectly. After carefully reading the specification, I realized that
the link in the spec was wrong and we were missing the fact that for
host-domains, we should operate on the registrable domain.

Additionally, the same-site call was missing the negation.

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-06-07 18:57:29 +02:00 committed by GitHub
parent a625420b23
commit c808ff7666
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
36 changed files with 41 additions and 444 deletions

View file

@ -329,7 +329,7 @@ fn test_request_and_response_data_with_network_messages() {
);
headers.insert(
HeaderName::from_static("sec-fetch-site"),
HeaderValue::from_static("same-site"),
HeaderValue::from_static("cross-site"),
);
headers.insert(
HeaderName::from_static("sec-fetch-user"),