From 3d2b51021dc17b2df6db797b70ab0fcac8cb2071 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@chromium.org>
Date: Fri, 29 Mar 2019 05:21:29 -0700
Subject: [PATCH] Send `Sec-Fetch-User` only for user-activated, navigational
 requests.

As per the conversation in mikewest/sec-metadata#23 and
mikewest/sec-metadata#19, this patch drops the `Sec-Fetch-User` header
for non-navigational requests, and for navigational requests that are
not user-activated.

Bug: 947444
Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3
---
 .../embed.tentative.https.sub.html            |   6 +-
 .../fetch.tentative.https.sub.html            |  12 +-
 .../font.tentative.https.sub.html             |   6 +-
 .../iframe.tentative.https.sub.html           | 134 ++++++++++--------
 .../sec-metadata/img.tentative.https.sub.html |  12 +-
 .../object.tentative.https.sub.html           |   6 +-
 ...oss-site-redirect.tentative.https.sub.html |   6 +-
 ...direct-cross-site.tentative.https.sub.html |   2 +-
 ...edirect-same-site.tentative.https.sub.html |   2 +-
 ...e-origin-redirect.tentative.https.sub.html |   6 +-
 ...ame-site-redirect.tentative.https.sub.html |   6 +-
 .../report.tentative.https.sub.html           |   6 +-
 .../script.tentative.https.sub.html           |   8 +-
 .../serviceworker.tentative.https.sub.html    |   2 +-
 .../sharedworker.tentative.https.sub.html     |   2 +-
 .../style.tentative.https.sub.html            |   8 +-
 .../track.tentative.https.sub.html            |   8 +-
 .../trailing-dot.tentative.https.sub.html     |   6 +-
 .../window-open.tentative.https.sub.html      |  12 +-
 .../worker.tentative.https.sub.html           |   2 +-
 .../xslt.tentative.https.sub.html             |   6 +-
 21 files changed, 143 insertions(+), 115 deletions(-)

diff --git a/fetch/sec-metadata/embed.tentative.https.sub.html b/fetch/sec-metadata/embed.tentative.https.sub.html
index b97de9ef2fd4c0c..c46765b37c63252 100644
--- a/fetch/sec-metadata/embed.tentative.https.sub.html
+++ b/fetch/sec-metadata/embed.tentative.https.sub.html
@@ -16,7 +16,7 @@
       let e = document.createElement('embed');
       e.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"embed", "site":"same-origin", "user":"?F", "mode":"no-cors"};
+        let expected = {"dest":"embed", "site":"same-origin", "user":"", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -35,7 +35,7 @@
       let e = document.createElement('embed');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"embed", "site":"same-site", "user":"?F", "mode":"no-cors"};
+        let expected = {"dest":"embed", "site":"same-site", "user":"", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -54,7 +54,7 @@
       let e = document.createElement('embed');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"embed", "site":"cross-site", "user":"?F", "mode":"no-cors"};
+        let expected = {"dest":"embed", "site":"cross-site", "user":"", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
diff --git a/fetch/sec-metadata/fetch.tentative.https.sub.html b/fetch/sec-metadata/fetch.tentative.https.sub.html
index dc4b977ac6ec654..bffb4275df8e99c 100644
--- a/fetch/sec-metadata/fetch.tentative.https.sub.html
+++ b/fetch/sec-metadata/fetch.tentative.https.sub.html
@@ -11,7 +11,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "same-origin",
-            "user": "?F",
+            "user": "",
             "mode": "cors",
           });
         });
@@ -24,7 +24,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "same-site",
-            "user": "?F",
+            "user": "",
             "mode": "cors",
           });
         });
@@ -37,7 +37,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "cross-site",
-            "user": "?F",
+            "user": "",
             "mode": "cors",
           });
         });
@@ -51,7 +51,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "same-origin",
-            "user": "?F",
+            "user": "",
             "mode": "same-origin",
           });
         });
@@ -64,7 +64,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "same-origin",
-            "user": "?F",
+            "user": "",
             "mode": "cors",
           });
         });
@@ -77,7 +77,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "same-origin",
-            "user": "?F",
+            "user": "",
             "mode": "no-cors",
           });
         });
diff --git a/fetch/sec-metadata/font.tentative.https.sub.html b/fetch/sec-metadata/font.tentative.https.sub.html
index 9792f2dce9427c3..60163ee714686fc 100644
--- a/fetch/sec-metadata/font.tentative.https.sub.html
+++ b/fetch/sec-metadata/font.tentative.https.sub.html
@@ -46,7 +46,7 @@
     promise_test(t => {
       return new Promise((resolve, reject) => {
         let key = "font-same-origin";
-        let expected = {"dest":"font", "site":"same-origin", "user":"?F", "mode": "cors"};
+        let expected = {"dest":"font", "site":"same-origin", "user":"", "mode": "cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -58,7 +58,7 @@
     promise_test(t => {
       return new Promise((resolve, reject) => {
         let key = "font-same-site";
-        let expected = {"dest":"font", "site":"same-site", "user":"?F", "mode": "cors"};
+        let expected = {"dest":"font", "site":"same-site", "user":"", "mode": "cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -70,7 +70,7 @@
     promise_test(t => {
       return new Promise((resolve, reject) => {
         let key = "font-cross-site";
-        let expected = {"dest":"font", "site":"cross-site", "user":"?F", "mode": "cors"};
+        let expected = {"dest":"font", "site":"cross-site", "user":"", "mode": "cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
diff --git a/fetch/sec-metadata/iframe.tentative.https.sub.html b/fetch/sec-metadata/iframe.tentative.https.sub.html
index 056d8fdba945ddc..461d9f28fa1e898 100644
--- a/fetch/sec-metadata/iframe.tentative.https.sub.html
+++ b/fetch/sec-metadata/iframe.tentative.https.sub.html
@@ -1,63 +1,85 @@
 <!DOCTYPE html>
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
+<script src=/resources/testdriver.js></script>
+<script src=/resources/testdriver-vendor.js></script>
 <script src=/fetch/sec-metadata/resources/helper.js></script>
+<script src=/common/utils.js></script>
 <body>
 <script>
-  async_test(t => {
-    let i = document.createElement('iframe');
-    i.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
-    window.addEventListener('message', t.step_func(e => {
-      if (e.source != i.contentWindow)
-        return;
-
-      assert_header_equals(e.data, {
-        "dest": "nested-document",
-        "site": "same-origin",
-        "user": "?F",
-        "mode": "nested-navigate"
-      });
-      t.done();
-    }));
-
-    document.body.appendChild(i);
-  }, "Same-origin iframe");
-
-  async_test(t => {
-    let i = document.createElement('iframe');
-    i.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
-    window.addEventListener('message', t.step_func(e => {
-      if (e.source != i.contentWindow)
-        return;
-
-      assert_header_equals(e.data, {
-        "dest": "nested-document",
-        "site": "same-site",
-        "user": "?F",
-        "mode": "nested-navigate"
-      });
-      t.done();
-    }));
-
-    document.body.appendChild(i);
-  }, "Same-site iframe");
-
-  async_test(t => {
-    let i = document.createElement('iframe');
-    i.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
-    window.addEventListener('message', t.step_func(e => {
-      if (e.source != i.contentWindow)
-        return;
-
-      assert_header_equals(e.data, {
-        "dest": "nested-document",
-        "site": "cross-site",
-        "user": "?F",
-        "mode": "nested-navigate"
-      });
-      t.done();
-    }));
-
-    document.body.appendChild(i);
-  }, "Cross-site iframe");
+  const USER = true;
+  const FORCED = false;
+
+  function create_test(host, user_activated, expectations) {
+    async_test(t => {
+      let i = document.createElement('iframe');
+      window.addEventListener('message', t.step_func(e => {
+        if (e.source != i.contentWindow)
+          return;
+
+        assert_header_equals(e.data, expectations);
+        t.done();
+      }));
+
+      let url = `https://${host}/fetch/sec-metadata/resources/post-to-owner.py`;
+      if (user_activated == FORCED) {
+        i.src = url;
+        document.body.appendChild(i);
+      } else if (user_activated == USER) {
+        let uuid = token();
+        i.name = uuid;
+        let a = document.createElement('a');
+        a.href = url;
+        a.target = uuid;
+        a.text = "This is a link!";
+
+        document.body.appendChild(i);
+        document.body.appendChild(a);
+
+        test_driver.click(a);
+      }
+    }, `{{host}} -> ${host} iframe: ${user_activated ? "user-activated" : "forced"}`);
+  }
+
+  create_test("{{host}}:{{ports[https][0]}}", FORCED, {
+    "dest": "nested-document",
+    "site": "same-origin",
+    "user": "",
+    "mode": "nested-navigate"
+  });
+
+  create_test("{{hosts[][www]}}:{{ports[https][0]}}", FORCED, {
+    "dest": "nested-document",
+    "site": "same-site",
+    "user": "",
+    "mode": "nested-navigate"
+  });
+
+  create_test("{{hosts[alt][www]}}:{{ports[https][0]}}", FORCED, {
+    "dest": "nested-document",
+    "site": "cross-site",
+    "user": "",
+    "mode": "nested-navigate"
+  });
+
+  create_test("{{host}}:{{ports[https][0]}}", USER, {
+    "dest": "nested-document",
+    "site": "same-origin",
+    "user": "?T",
+    "mode": "nested-navigate"
+  });
+
+  create_test("{{hosts[][www]}}:{{ports[https][0]}}", USER, {
+    "dest": "nested-document",
+    "site": "same-site",
+    "user": "?T",
+    "mode": "nested-navigate"
+  });
+
+  create_test("{{hosts[alt][www]}}:{{ports[https][0]}}", USER, {
+    "dest": "nested-document",
+    "site": "cross-site",
+    "user": "?T",
+    "mode": "nested-navigate"
+  });
 </script>
diff --git a/fetch/sec-metadata/img.tentative.https.sub.html b/fetch/sec-metadata/img.tentative.https.sub.html
index 802ae25b775c0b2..717e385bd040be4 100644
--- a/fetch/sec-metadata/img.tentative.https.sub.html
+++ b/fetch/sec-metadata/img.tentative.https.sub.html
@@ -23,7 +23,9 @@
         assert_header_equals(got, {
           "dest": "image",
           "site": "same-origin",
-          "user": "?F",
+          // Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
+          // that `image.py` encodes data.
+          "user": undefined,
           "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
         });
       }),
@@ -45,7 +47,9 @@
         assert_header_equals(got, {
           "dest": "image",
           "site": "same-site",
-          "user": "?F",
+          // Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
+          // that `image.py` encodes data.
+          "user": undefined,
           "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
         });
       }),
@@ -67,7 +71,9 @@
         assert_header_equals(got, {
           "dest": "image",
           "site": "cross-site",
-          "user": "?F",
+          // Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
+          // that `image.py` encodes data.
+          "user": undefined,
           "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
         });
       }),
diff --git a/fetch/sec-metadata/object.tentative.https.sub.html b/fetch/sec-metadata/object.tentative.https.sub.html
index 474962918b03075..b60ae206c78b3dd 100644
--- a/fetch/sec-metadata/object.tentative.https.sub.html
+++ b/fetch/sec-metadata/object.tentative.https.sub.html
@@ -16,7 +16,7 @@
       let e = document.createElement('object');
       e.data = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"object", "site":"same-origin", "user":"?F", "mode":"no-cors"};
+        let expected = {"dest":"object", "site":"same-origin", "user":"", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -35,7 +35,7 @@
       let e = document.createElement('object');
       e.data = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"object", "site":"same-site", "user":"?F", "mode":"no-cors"};
+        let expected = {"dest":"object", "site":"same-site", "user":"", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -54,7 +54,7 @@
       let e = document.createElement('object');
       e.data = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"object", "site":"cross-site", "user":"?F", "mode":"no-cors"};
+        let expected = {"dest":"object", "site":"cross-site", "user":"", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
diff --git a/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html b/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html
index 1634a29f3791490..06b58744fb5a26f 100644
--- a/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html
+++ b/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html
@@ -15,7 +15,7 @@
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
@@ -41,7 +41,7 @@
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
@@ -67,7 +67,7 @@
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
diff --git a/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html b/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html
index 7647a5b1c89a99a..e173bb053fedd46 100644
--- a/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html
+++ b/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html
@@ -17,7 +17,7 @@
       e.src = "https://{{host}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-origin
       "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// cross-site
       "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;// same-origin
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
diff --git a/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html b/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html
index e83d6fd97e844f8..d19a1896ad77e69 100644
--- a/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html
+++ b/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html
@@ -17,7 +17,7 @@
       e.src = "https://{{host}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-origin
       "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-site
       "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;// same-origin
-      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"same-site", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
diff --git a/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html b/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html
index 2033eab5979a619..0b4fdfeec58b6f3 100644
--- a/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html
+++ b/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html
@@ -15,7 +15,7 @@
 
       let e = document.createElement('img');
       e.src = "/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-origin", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"same-origin", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
@@ -42,7 +42,7 @@
 
       let e = document.createElement('img');
       e.src = "/xhr/resources/redirect.py?location=https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"same-site", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
@@ -69,7 +69,7 @@
 
       let e = document.createElement('img');
       e.src = "/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
diff --git a/fetch/sec-metadata/redirect/same-site-redirect.tentative.https.sub.html b/fetch/sec-metadata/redirect/same-site-redirect.tentative.https.sub.html
index c5b6830abed5f19..70c0afef2288346 100644
--- a/fetch/sec-metadata/redirect/same-site-redirect.tentative.https.sub.html
+++ b/fetch/sec-metadata/redirect/same-site-redirect.tentative.https.sub.html
@@ -15,7 +15,7 @@
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"same-site", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
@@ -42,7 +42,7 @@
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"same-site", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
@@ -69,7 +69,7 @@
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
diff --git a/fetch/sec-metadata/report.tentative.https.sub.html b/fetch/sec-metadata/report.tentative.https.sub.html
index 405964e08923ae7..eb6c76b57c75a70 100644
--- a/fetch/sec-metadata/report.tentative.https.sub.html
+++ b/fetch/sec-metadata/report.tentative.https.sub.html
@@ -22,9 +22,9 @@
   document.addEventListener("securitypolicyviolation", (e) => {
     counter++;
     if (counter == 3) {
-      generate_test({"dest":"report", "site":"same-origin", "user":"?F", "mode": "no-cors"}, "same-origin");
-      generate_test({"dest":"report", "site":"same-site", "user":"?F", "mode": "no-cors"}, "same-site");
-      generate_test({"dest":"report", "site":"cross-site", "user":"?F", "mode": "no-cors"}, "cross-site");
+      generate_test({"dest":"report", "site":"same-origin", "user":"", "mode": "no-cors"}, "same-origin");
+      generate_test({"dest":"report", "site":"same-site", "user":"", "mode": "no-cors"}, "same-site");
+      generate_test({"dest":"report", "site":"cross-site", "user":"", "mode": "no-cors"}, "cross-site");
 
       done();
     }
diff --git a/fetch/sec-metadata/script.tentative.https.sub.html b/fetch/sec-metadata/script.tentative.https.sub.html
index a35e753c7898cc8..b2874a37da1ebb5 100644
--- a/fetch/sec-metadata/script.tentative.https.sub.html
+++ b/fetch/sec-metadata/script.tentative.https.sub.html
@@ -12,7 +12,7 @@
     assert_header_equals(header, {
       "dest": "script",
       "site": "same-origin",
-      "user": "?F",
+      "user": "",
       "mode": "no-cors",
     });
   }, "Same-origin script");
@@ -27,7 +27,7 @@
     assert_header_equals(header, {
       "dest": "script",
       "site": "same-site",
-      "user": "?F",
+      "user": "",
       "mode": "no-cors",
     });
   }, "Same-site script");
@@ -42,7 +42,7 @@
     assert_header_equals(header, {
       "dest": "script",
       "site": "cross-site",
-      "user": "?F",
+      "user": "",
       "mode": "no-cors",
     });
   }, "Cross-site script");
@@ -57,7 +57,7 @@
     assert_header_equals(header, {
       "dest": "script",
       "site": "same-origin",
-      "user": "?F",
+      "user": "",
       "mode": "cors",
     });
   }, "Same-origin CORS script");
diff --git a/fetch/sec-metadata/serviceworker.tentative.https.sub.html b/fetch/sec-metadata/serviceworker.tentative.https.sub.html
index 590a6c33475d26e..ee436d9265ff85c 100644
--- a/fetch/sec-metadata/serviceworker.tentative.https.sub.html
+++ b/fetch/sec-metadata/serviceworker.tentative.https.sub.html
@@ -38,7 +38,7 @@
   function test_same_origin(){
     promise_test(t => {
     return new Promise((resolve, reject) => {
-      let expected = {"dest":"serviceworker", "site":"same-origin", "user":"?F", "mode": "same-origin"};
+      let expected = {"dest":"serviceworker", "site":"same-origin", "user":"", "mode": "same-origin"};
       fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
         .then(response => response.text())
         .then(text => assert_header_equals(text, expected))
diff --git a/fetch/sec-metadata/sharedworker.tentative.https.sub.html b/fetch/sec-metadata/sharedworker.tentative.https.sub.html
index a1c558ad35dfbdb..ddd4cc9914eb28a 100644
--- a/fetch/sec-metadata/sharedworker.tentative.https.sub.html
+++ b/fetch/sec-metadata/sharedworker.tentative.https.sub.html
@@ -28,7 +28,7 @@
   function test_same_origin(){
     promise_test(t => {
       return new Promise((resolve, reject) => {
-        let expected = {"dest":"sharedworker", "site":"same-origin", "user":"?F", "mode": "same-origin"};
+        let expected = {"dest":"sharedworker", "site":"same-origin", "user":"", "mode": "same-origin"};
 
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
diff --git a/fetch/sec-metadata/style.tentative.https.sub.html b/fetch/sec-metadata/style.tentative.https.sub.html
index 46f64f49bde0ce6..19cc16d8017cc2a 100644
--- a/fetch/sec-metadata/style.tentative.https.sub.html
+++ b/fetch/sec-metadata/style.tentative.https.sub.html
@@ -17,7 +17,7 @@
       e.rel = "stylesheet";
       e.href = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"style", "site":"same-origin", "user":"?F", "mode": "no-cors"};
+        let expected = {"dest":"style", "site":"same-origin", "user":"", "mode": "no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -37,7 +37,7 @@
       e.rel = "stylesheet";
       e.href = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"style", "site":"same-site", "user":"?F", "mode": "no-cors"};
+        let expected = {"dest":"style", "site":"same-site", "user":"", "mode": "no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -57,7 +57,7 @@
       e.rel = "stylesheet";
       e.href = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"style", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+        let expected = {"dest":"style", "site":"cross-site", "user":"", "mode": "no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
@@ -78,7 +78,7 @@
       e.href = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.crossOrigin = "anonymous";
       e.onload = e => {
-        let expected = {"dest":"style", "site":"same-origin", "user":"?F", "mode": "cors"};
+        let expected = {"dest":"style", "site":"same-origin", "user":"", "mode": "cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
diff --git a/fetch/sec-metadata/track.tentative.https.sub.html b/fetch/sec-metadata/track.tentative.https.sub.html
index 817e4845edb215c..fe525caf1552331 100644
--- a/fetch/sec-metadata/track.tentative.https.sub.html
+++ b/fetch/sec-metadata/track.tentative.https.sub.html
@@ -36,7 +36,7 @@
         expected = {
           "dest": "track",
           "site": "same-origin",
-          "user": "?F",
+          "user": "",
           "mode": "cors" // Because the `video` element has `crossorigin`
         };
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
@@ -59,7 +59,7 @@
         expected = {
           "dest": "track",
           "site": "same-site",
-          "user": "?F",
+          "user": "",
           "mode": "cors" // Because the `video` element has `crossorigin`
         };
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
@@ -84,7 +84,7 @@
         expected = {
           "dest": "track",
           "site": "cross-site",
-          "user": "?F",
+          "user": "",
           "mode": "cors" // Because the `video` element has `crossorigin`
         };
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
@@ -112,7 +112,7 @@
         expected = {
           "dest":"track",
           "site":"same-origin",
-          "user":"?F",
+          "user":"",
           "mode": "same-origin"
         };
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
diff --git a/fetch/sec-metadata/trailing-dot.tentative.https.sub.html b/fetch/sec-metadata/trailing-dot.tentative.https.sub.html
index 85f9c73c6ae22fb..ff0e842d5118cba 100644
--- a/fetch/sec-metadata/trailing-dot.tentative.https.sub.html
+++ b/fetch/sec-metadata/trailing-dot.tentative.https.sub.html
@@ -11,7 +11,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "cross-site",
-            "user": "?F",
+            "user": "",
             "mode": "cors",
           });
         });
@@ -24,7 +24,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "cross-site",
-            "user": "?F",
+            "user": "",
             "mode": "cors",
           });
         });
@@ -37,7 +37,7 @@
           assert_header_equals(j, {
             "dest": "empty",
             "site": "cross-site",
-            "user": "?F",
+            "user": "",
             "mode": "cors",
           });
         });
diff --git a/fetch/sec-metadata/window-open.tentative.https.sub.html b/fetch/sec-metadata/window-open.tentative.https.sub.html
index ef2bc81824ea5f9..0be9f2ce577d5cd 100644
--- a/fetch/sec-metadata/window-open.tentative.https.sub.html
+++ b/fetch/sec-metadata/window-open.tentative.https.sub.html
@@ -17,7 +17,7 @@
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "same-origin",
-        "user": "?F",
+        "user": "",
         "mode": "navigate",
       });
       t.done();
@@ -34,7 +34,7 @@
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "same-site",
-        "user": "?F",
+        "user": "",
         "mode": "navigate",
       });
       t.done();
@@ -51,7 +51,7 @@
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "cross-site",
-        "user": "?F",
+        "user": "",
         "mode": "navigate",
       });
       t.done();
@@ -70,7 +70,7 @@
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "same-origin",
-        "user": "?F",
+        "user": "",
         "mode": "navigate",
       });
 
@@ -94,7 +94,7 @@
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "same-site",
-        "user": "?F",
+        "user": "",
         "mode": "navigate",
       });
 
@@ -118,7 +118,7 @@
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "cross-site",
-        "user": "?F",
+        "user": "",
         "mode": "navigate",
       });
 
diff --git a/fetch/sec-metadata/worker.tentative.https.sub.html b/fetch/sec-metadata/worker.tentative.https.sub.html
index dc21d0324f442a8..940e25b2a51a416 100644
--- a/fetch/sec-metadata/worker.tentative.https.sub.html
+++ b/fetch/sec-metadata/worker.tentative.https.sub.html
@@ -13,7 +13,7 @@
       let key = "worker-same-origin" + nonce;
       let w = new Worker("/fetch/sec-metadata/resources/record-header.py?file=" + key);
       w.onmessage = e => {
-        let expected = {"dest":"worker", "site":"same-origin", "user":"?F", "mode": "same-origin"};
+        let expected = {"dest":"worker", "site":"same-origin", "user":"", "mode": "same-origin"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
diff --git a/fetch/sec-metadata/xslt.tentative.https.sub.html b/fetch/sec-metadata/xslt.tentative.https.sub.html
index eea2329900e000c..0d429266288e8a7 100644
--- a/fetch/sec-metadata/xslt.tentative.https.sub.html
+++ b/fetch/sec-metadata/xslt.tentative.https.sub.html
@@ -12,21 +12,21 @@
       return;
 
     promise_test(t => {
-      let expected = {"dest":"xslt", "site":"same-origin", "user":"?F", "mode": "same-origin"};
+      let expected = {"dest":"xslt", "site":"same-origin", "user":"", "mode": "same-origin"};
       return fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=xslt-same-origin")
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected));
     }, "Same-Origin xslt");
 
     promise_test(t => {
-      let expected = {"dest":"xslt", "site":"same-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"xslt", "site":"same-site", "user":"", "mode": "no-cors"};
       return fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=xslt-same-site")
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected));
     }, "Same-site xslt");
 
     promise_test(t => {
-      let expected = {"dest":"xslt", "site":"cross-site", "user":"?F", "mode": "no-cors"};
+      let expected = {"dest":"xslt", "site":"cross-site", "user":"", "mode": "no-cors"};
       return fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=xslt-cross-site")
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected));