Initiating tag header for img,script,link,and other tags that load resources

Recently I dealt with Subresources integrity (SRI) and Cors issues.

One concern that seems to keep coming up year after year is that SCRIPT, IMG tags can hit random resources on the web and that can cause the browser to leak information or cause cross site exploits of various types including an img tag deleting a record on a server someplace.

On the server side all these requests look just like any other. For ajax ( XHR ) requests we actually do get a header that specifies that the request is coming that way. I suppose IMG tags generally have a referrer but it isn’t much.

I suppose adding a header would cause a ton of internet traffic but it would allow servers to know that a browser ( unmodified anyways ) was making a request say to ://mysite.com/login inside of an IMG tag and return a 403 or 405 ( maybe a new standard status code is order ) and just shut the whole request down.

Basically a new http header like " x-initiating-tag: IMG ". Might even allow certain reporting on the server side so we can see what requests might need to go to a CDN etc etc.

This should not require any changes to http and should be non breaking as servers that don’t care about the header would simply ignore it.

This sounds a lot like Fetch Metadata Request Headers.

I.e. Sec-Fetch-Dest: image?

2 Likes