Both same-site cookies and From-Origin mitigate against HEIST at the root by preventing the requesting origin from getting timing data from a credentialed request to another origin.

Both proposals (optionally in same-site cookies) allow the credentialed cross-origin response if it's part of a top-level navigation.

As it's currently specced, it isn't clear where prerender fits into that, as it may or may not be top level. Its fetching and matching needs to be specified.

Options:

• Downgrade prerender to preconnect for cross-origin resources (prefetch doesn't make sense as a fallback here)
• Allow the as attribute, which can be something like "top-level" or "auxiliary" - this would indicate how same-site/from-origin should be applied, and when the prerendered document can be matched to a navigation
  • Load events must never be fired for "top-level" prerenders as this leaks timing data that may otherwise be prevented