Closed annevk closed 3 years ago
Hrm. I think you're right. I pulled the Vary
header from Google's implementation of a resource isolation policy, which is focused solely on subresources. Sec-Fetch-User
seems like a necessary addition for documents, and there doesn't seem to be any harm in adding it for subresources as well (since it will never be sent for subresource requests, and it's not unreasonable to ask for re-validation in user-driven navigational circumstances).
WDYT, @lweichselbaum and/or @arturjanc?
Our general approach for Fetch Metadata has been Vary
on the request headers used to make a security decision in server-side logic. The policies we're using and published externally don't currently check Sec-Fetch-User
, so we didn't include it in Vary
.
I don't think there's any problem with adding it, though I also don't have any evidence to rule out edge cases with undesirable behavior if a resource does so. IMO we can default to adding it as a recommendation and see if this causes any issues.
This seems like something you do want to Vary on.