Sec-Fetch-Dest fetch metadata request header indicates the request's destination. That is the initiator of the original fetch request, which is where (and how) the fetched data will be used.
This allows servers determine whether to service a request based on whether it is appropriate for how it is expected to be used. For example, a request with an
audio destination should request audio data, not some other type of resource (for example, a document that includes senstive user information).
|Header type||Fetch Metadata Request Header|
|Forbidden header name||yes (prefix
|CORS-safelisted request header||no|
Sec-Fetch-Dest: audio Sec-Fetch-Dest: audioworklet Sec-Fetch-Dest: document Sec-Fetch-Dest: embed Sec-Fetch-Dest: empty Sec-Fetch-Dest: font Sec-Fetch-Dest: frame Sec-Fetch-Dest: iframe Sec-Fetch-Dest: image Sec-Fetch-Dest: manifest Sec-Fetch-Dest: object Sec-Fetch-Dest: paintworklet Sec-Fetch-Dest: report Sec-Fetch-Dest: script Sec-Fetch-Dest: serviceworker Sec-Fetch-Dest: sharedworker Sec-Fetch-Dest: style Sec-Fetch-Dest: track Sec-Fetch-Dest: video Sec-Fetch-Dest: worker Sec-Fetch-Dest: xslt
Servers should ignore this header if it contains any other value.
Note: These directives correspond to the values returned by
The destination is audio data. This might originate from an HTML
The destination is data being fetched for use by an audio worklet. This might originate from a call to
The destination is a document (HTML or XML), and the request is the result of a user-initiated top-level navigation (e.g. resulting from a user clicking a link).
The destination is embedded content. This might originate from an HTML
The destination is a font. This might originate from CSS
The destination is a frame. This might originate from an HTML
The destination is an iframe. This might originate from an HTML
The destination is a manifest. This might originate from an HTML <link rel=manifest>).
The destination is an object. This might originate from an HTML
The destination is a paint worklet. This might originate from a call to
The destination is a report (for example, a content security policy report).
The destination is a service worker. This might originate from a call to
The destination is a shared worker. This might originate from a
The destination is an HTML text track. This might originate from an HTML
The destination is video data. This might originate from an HTML
The destination is a
The destination is an XLST transform.
A cross-site request generated by an
<img> element would result in a request with the following HTTP request headers (note that the destination is
Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site
|Fetch Metadata Request Headers (Fetch Metadata)|
BCD tables only load in the browser
- Related headers
- Protect your resources from web attacks with Fetch Metadata (web.dev)
- Fetch Metadata Request Headers playground (secmetadata.appspot.com)