79563383

Date: 2025-04-09 03:14:18
Score: 1.5
Natty:
Report link

In the document https://www.w3.org/TR/fetch-metadata/ says:

To set the Sec-Fetch-Dest header for a request r:
Assert: r’s url is a potentially trustworthy URL.

And "potentially trustworthy URL" is defined here:

https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy

the items 3 and 4 on this document section says:

3. If origin’s scheme is either "https" or "wss", return "Potentially Trustworthy". ...
4. If origin’s host matches one of the CIDR notations 127.0.0.0/8 or ::1/128 [RFC4632], return "Potentially Trustworthy".

So, yes, apparently these headers are only sent if you are running from HTTPS or from localhost or any other special URL, but not from http

Reasons:
  • Blacklisted phrase (1): this document
  • Long answer (-0.5):
  • No code block (0.5):
  • Low reputation (0.5):
Posted by: Everton J. Carpes