Sec-Fetch-Site: cross-site but it’s the same site

Question

I have two demo apps on Heroku, let’s call them a.herokuapp.com (website) and b.herokuapp.com (CDN).

When visiting a.herokuapp.com in a browser, request is made for content (media) stored on b.herokuapp.com. This, by definition, should be a request to the same site, since both are subdomains of the same domain.

However, when I check the actual request the browser makes (Chrome), Sec-Fetch-Site is set to cross-site, not same-site:

…
Host: b.herokuapp.com
Origin: https://a.herokuapp.com
Referer: https://a.herokuapp.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
…

score 0 · Answer 1 · answered Sep 22 '22 at 15:51

0

I have figured it out - it behaves as expected. The two URLs aren’t considered “same site”.

See here:

https://html.spec.whatwg.org/multipage/origin.html#same-site

answered Sep 22 '22 at 15:51

s_joe77

19
5

Sec-Fetch-Site: cross-site but it’s the same site

1 Answers1