As part of the effort to make prefetch interoperable, we have recently changed the CSP spec, where there is no more prefetch-src. Instead, prefetch uses the "least restrictive directive" - any directive can allow CSP and by default it goes to default-src.
This allows using default-src to prevent exfiltration, while not introducing new hoops devs have to jump through to enable prefetching - if you enable any fetch for a URL, you can also prefetch it. Spec: https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy The intent is to: - Remove the prefetch-src code - Introduce the new behavior behind a flag, and go through the I2S process with it later on. *Some notes about this:* - Apple has recently implemented prefetch-src support in WebKit. However, this support is purely hypothetical because they don't support prefetching yet. We spoke with them and they are aligned with this change. - prefetch-src was never *officially* shipped, however the runtime flag protection was removed by mistake in 2021, so it silently shipped. The consequence of removing it would be that some prefetches that were disallowed by prefetch-src (there is some minor usage of prefetch-src in the wild even though it was never shipped), would now be allowed until the new flag is enabled (the previous "official" behavior was that prefetches are not CSP-protected). We can alternatively add a deprecation flag for prefetch-src and keep both code-paths, but I wonder if that's worth the hassle since, as mentioned before, it was never officially shipped and its removal would have only minor effects that are not "breaking". Link to prefetch-src: https://chromestatus.com/feature/4607623783514112 Link to new behavior: https://chromestatus.com/feature/5553640629075968 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com.
