Please see: https://github.com/whatwg/fetch/pull/1345 Webkit already implements part of this spec change. Specifically, it seems to propagate the requests origin for passthrough service workers that do `evt.respondWith(fetch(evt.request))`. It does not, however, correctly set the origin header to `origin:null` if the FetchEvent.request is a navigation that redirected through a cross-origin URL. The WPT tests for this change are at: https://wpt.fyi/results/service-workers/service-worker/navigation-headers.https.html?label=experimental&label=master&aligned Many of the failures there are for things not implemented by webkit yet and can be ignored. The failures that matter for this bug are the test cases: * "POST Navigation, same-origin with same-site redirect and passthrough service worker sets correct origin and referer headers." * "POST Navigation, same-origin with cross-site redirect and passthrough service worker sets correct origin and referer headers." * "POST Navigation, same-origin with cross-site redirect, same-origin redirect, and passthrough service worker sets correct origin and referer headers."
Hmm, I didn't realize webkit implements some samesite cookies features as well. It seems those are not taking the origin of the passthrough request into account currently. See the failures in: https://wpt.fyi/results/service-workers/service-worker/same-site-cookies.https.html?label=experimental&label=master&aligned For example, the test case "cross-site, window.open with passthrough".
<rdar://problem/85911487>