The open-source browser refresh is currently rolling out with support for Fetch Metadata Request Headers, which means that web applications can better protect users against cross-site request forgery (CSRF), cross-site leaks (XS-Leaks), and speculative cross-site execution side channel attacks (such as Spectre).

With the newly introduced feature, web application servers can distinguish between same-origin and cross-origin requests, allowing them to reject or ignore malicious requests based on the information delivered in Sec-Fetch-* HTTP request headers.

“In total there are four different Sec-Fetch-* headers: Dest, Mode, Site and User which together allow web applications to protect themselves and their end users against the previously mentioned cross-site attacks,” Mozilla explained.