Why is Sec-Fetch-User not mentioned?

[annevk]

This seems like something you do want to Vary on.

[mikewest]

Hrm. I think you're right. I pulled the Vary header from Google's implementation of a resource isolation policy, which is focused solely on subresources. Sec-Fetch-User seems like a necessary addition for documents, and there doesn't seem to be any harm in adding it for subresources as well (since it will never be sent for subresource requests, and it's not unreasonable to ask for re-validation in user-driven navigational circumstances).

WDYT, @lweichselbaum and/or @arturjanc?

[arturjanc]

Our general approach for Fetch Metadata has been Vary on the request headers used to make a security decision in server-side logic. The policies we're using and published externally don't currently check Sec-Fetch-User, so we didn't include it in Vary.

I don't think there's any problem with adding it, though I also don't have any evidence to rule out edge cases with undesirable behavior if a resource does so. IMO we can default to adding it as a recommendation and see if this causes any issues.