HTML

Structure of content on the web

  • Web APIs

    Interfaces for building web applications

  • Learn
  • HTTP Observatory

    Scan a website for free

  • HTTP
  • HTTP
  • A typical HTTP session
  • HTTP caching
  • HTTP conditional requests
  • Protocol upgrade mechanism
  • HTTP Observatory
  • Permissions Policy
  • CORS errors
    1. Reason: CORS header 'Origin' cannot be added
    2. Reason: CORS request not HTTP
    3. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
    4. Reference
    5. Accept-Encoding
    6. Accept-Ranges
    7. Access-Control-Allow-Origin
    8. Access-Control-Request-Method
    9. Alt-Used
    10. Attribution-Reporting-Eligible
    11. Attribution-Reporting-Register-Source
    12. Attribution-Reporting-Register-Trigger
    13. Connection
    14. Content-DPR
    15. Content-Location
    16. Content-Type
    17. Critical-CH
    18. Date
    19. DNT
    20. Downlink
    21. DPR
    22. Early-Data
    23. ECT
    24. Expect-CT
    25. Host
    26. If-Range
    27. Link
    28. NEL
    29. No-Vary-Search
    30. Observe-Browsing-Topics
    31. Origin-Agent-Cluster
    32. Permissions-Policy
    33. Pragma
    34. Range
    35. Report-To
    36. Reporting-Endpoints
    37. RTT
    38. Save-Data
    39. Sec-Browsing-Topics
    40. Sec-CH-Prefers-Color-Scheme
    41. Sec-CH-Prefers-Reduced-Motion
    42. Sec-CH-Prefers-Reduced-Transparency
    43. Sec-CH-UA
    44. Sec-CH-UA-Arch
    45. Sec-CH-UA-Bitness
    46. Sec-CH-UA-Form-Factors
    47. Sec-CH-UA-Full-Version
    48. Sec-CH-UA-Full-Version-List
    49. Sec-CH-UA-Mobile
    50. Sec-CH-UA-Model
    51. Sec-CH-UA-Platform
    52. Sec-CH-UA-Platform-Version
    53. Sec-CH-UA-WoW64
    54. Sec-Fetch-User
    55. Sec-GPC
    56. Sec-WebSocket-Key
    57. Server-Timing
    58. Set-Cookie
    59. Set-Login
    60. Speculation-Rules
    61. Supports-Loading-Mode
    62. Tk
    63. Upgrade-Insecure-Requests
    64. Viewport-Width
    65. Warning
    66. Width
    67. X-DNS-Prefetch-Control
    68. X-Forwarded-For
    69. X-Forwarded-Host
    70. X-Forwarded-Proto
    71. X-Permitted-Cross-Domain-Policies
    72. X-Powered-By
    73. X-Robots-Tag
    74. X-XSS-Protection
  • GET
  • POST
  • 100 Continue
  • 200 OK
  • 204 No Content
  • 208 Already Reported
  • 302 Found
  • 308 Permanent Redirect
  • 403 Forbidden
  • 407 Proxy Authentication Required
  • 411 Length Required
  • 415 Unsupported Media Type
  • 421 Misdirected Request
  • 425 Too Early
  • 431 Request Header Fields Too Large
  • 502 Bad Gateway
  • 506 Variant Also Negotiates
  • 511 Network Authentication Required
  • CSP: block-all-mixed-content
  • CSP: fenced-frame-src
  • CSP: frame-src
  • CSP: object-src
  • CSP: prefetch-src
  • CSP: report-uri
  • CSP: require-trusted-types-for
  • CSP: script-src-elem
  • CSP: trusted-types
  • Permissions-Policy directives
    1. Permissions-Policy: accelerometer
    2. Permissions-Policy: ambient-light-sensor
    3. Permissions-Policy: attribution-reporting
    4. Permissions-Policy: autoplay
    5. Permissions-Policy: bluetooth
    6. Permissions-Policy: browsing-topics
    7. Permissions-Policy: camera
    8. Permissions-Policy: compute-pressure
    9. Permissions-Policy: cross-origin-isolated
    10. Permissions-Policy: display-capture
    11. Permissions-Policy: document-domain
    12. Permissions-Policy: encrypted-media
    13. Permissions-Policy: fullscreen
    14. Permissions-Policy: gamepad
    15. Permissions-Policy: geolocation
    16. Permissions-Policy: gyroscope
    17. Permissions-Policy: hid
    18. Permissions-Policy: identity-credentials-get
    19. Permissions-Policy: idle-detection
    20. Permissions-Policy: local-fonts
    21. Permissions-Policy: magnetometer
    22. Permissions-Policy: microphone
    23. Permissions-Policy: midi
    24. Permissions-Policy: otp-credentials
    25. Permissions-Policy: payment
    26. Permissions-Policy: picture-in-picture
    27. Permissions-Policy: publickey-credentials-create
    28. Permissions-Policy: publickey-credentials-get
    29. Permissions-Policy: screen-wake-lock
    30. Permissions-Policy: serial
    31. Permissions-Policy: speaker-selection
    32. Permissions-Policy: storage-access
    33. Permissions-Policy: usb
    34. Permissions-Policy: web-share
    35. Permissions-Policy: window-management
    36. Permissions-Policy: xr-spatial-tracking
  • fetch metadata request header indicates the purpose for which the requested resource will be used, when that purpose is something other than immediate use by the user-agent.

    The only purpose that is currently defined is prefetch, which indicates that the resource is being requested in anticipation that it will be needed by a page that is likely to be navigated to in the near future, such as a page linked in search results or a link that a user has hovered over. The server can use this knowledge to: adjust the caching expiry for the request, disallow the request, or perhaps to treat it differently when counting page visits.

    The header is sent when a page is loaded that has a rel="prefetch". Note that if this header is set then a Accept header should match the value used for normal navigation requests.

    Header type Fetch Metadata Request Header
    Forbidden request header Yes (Sec- prefix)
    CORS-safelisted request header No

    • Syntax

    http
    Sec-Purpose: prefetch

    Directives

    The allowed tokens are:

    prefetch

    The purpose is to prefetch a resource that may be needed in a probable future navigation.

    Examples

    A prefetch request

    Consider the case where a browser loads a file with a <link> element that has the attribute rel="prefetch" and an href attribute containing the address of an image file. The resulting fetch() should result in an HTTP request where Sec-Purpose: prefetch, Sec-Fetch-Dest: empty, and an Accept value that is the same as the browser uses for page navigation.

    An example of such a header (on Firefox) is given below:

    http
    GET /images/some_image.png HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-Purpose: prefetch
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

    Note: At time of writing Firefox incorrectly sets the Accept header as Accept: */* for prefetches. The example has been modified to show what the Accept value should be. This issue can be tracked in Firefox bug 1836334.

    Specifications

    Specification
    Prefetch
    # sec-purpose-header

    Browser compatibility

    BCD tables only load in the browser

    See also