A new set of “fetch metadata” request headers has been defined recently in order to expose how a particular request is performed (from the same site / same origin vs cross-site vs top-level navigation) and what is the destination of the requested content (document vs image tag vs object tag vs worker, etc.). More on that here: https://github.com/rails/rails/issues/39640
My team is thinking about implementing a middleware that could handle the information from those headers in Rails. It could be done in a similar fashion as ActionDispatch::ContentSecurityPolicy or ActionDispatch::FeaturePolicy. The general resource isolation policy could be similar to one suggested in this article: Protect your resources from web attacks with Fetch Metadata and more detailed policies could be specified on a controller level using additional helpers.
If you think this is a good idea, we could submit a PR. If you think it’s not then we could release it as a gem. https://github.com/github/secure_headers could also be a good place for that, but it seems it’s going to be archived soon (https://github.com/github/secure_headers/issues/441#issuecomment-644465823).