De-AMP Sec-Fetch-Site Bypass Test

Site A: test-website-a.pages.dev

What this tests

When Brave's De-AMP feature redirects from a cross-site AMP page back to this origin, the Sec-Fetch-Site header should be cross-site (because the redirect chain included a cross-site URL).

If De-AMP erases the cross-site hop from the redirect chain, the header will incorrectly be same-origin.

Steps

  1. Click the cross-site AMP link below.
  2. Brave should detect the AMP page on Site B and De-AMP redirect you to Site A's header inspector.
  3. Check the Sec-Fetch-Site value on the results page.

Test Links

1. Cross-site AMP page (Site B) -- triggers De-AMP redirect to Site A

2. Direct same-origin link (control) -- should show same-origin

Expected results

Link Expected Sec-Fetch-Site
Link 1 (via De-AMP from Site B) cross-site
Link 2 (direct same-origin) same-origin