POC 1: Cross-Origin

  1. Click the link that defines a cross-origin ping URL.
  2. If the current page is HTTPS, observe that the page URL (excluding the original fragment) is sent to the ping endpoint in a Ping-To header.
  3. If the current page is HTTP, observe that the page URL (including the original fragment) is sent to the ping endpoint in a Ping-From header.

Cross-origin ping URL (ping to https://example.com)

POC 2: Same-Origin

  1. Click the link that defines a same-origin ping URL.
  2. Observe that the full page URL (including the original fragment) is sent to the ping endpoint in a Ping-From header.

Same-origin ping URL (ping to https://storage.googleapis.com/)

@nowaskyjr