[FEATURE PROPOSAL] Implement Resource Isolation Policy (based on fetch metadata HTTP headers)

A new set of “fetch metadata” request headers has been defined recently in order to expose how a particular request is performed (from the same site / same origin vs cross-site vs top-level navigation) and what is the destination of the requested content (document vs image tag vs object tag vs worker, etc.). More on that here: Add Fetch Metadata Browser Headers · Issue #39640 · rails/rails · GitHub

My team is thinking about implementing a middleware that could handle the information from those headers in Rails. It could be done in a similar fashion as ActionDispatch::ContentSecurityPolicy or ActionDispatch::FeaturePolicy. The general resource isolation policy could be similar to one suggested in this article: Protect your resources from web attacks with Fetch Metadata and more detailed policies could be specified on a controller level using additional helpers.

If you think this is a good idea, we could submit a PR. If you think it’s not then we could release it as a gem. GitHub - github/secure_headers: Manages application of security headers with many safe defaults could also be a good place for that, but it seems it’s going to be archived soon (Fetch Metadata Browser Headers · Issue #441 · github/secure_headers · GitHub).

1 Like