Contact emailsnrosent...@chromium.org Specificationhttps://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy
Summary A replacement for the `prefetch-src` directive, which never got traction and was recently removed. Instead of relying on a bespoke CSP directive, <link rel=prefetch> (and later preconnect/dns-prefetch) would be allowed if *any* directive in the policy would allow fetching this URL for any reason. This is because prefetching/preconnecting does not actually do anything with the resource, but only fetches it for a later reason. This allows developers to use resource hints without needing to tweak their content security policy, while giving a tool to prevent exfiltration by having default-src block prefetches. For example: default-src * default-src 'none' script-src * would allow prefetch While `default-src 'none'` would not. Blink componentBlink>SecurityFeature>ContentSecurityPolicy <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> TAG review TAG review statusNot applicable RisksThe impact of this would be that pages with a very restrictive CSP (e.g. `default-src: 'none' with nothing else)` will not allow prefetches,causing a slight performance hit if they were relying on those prefetches.This is the intended consequence though, as now those pages can prevent exfiltration via prefetch. Interoperability and Compatibility *Gecko*: Positive (https://github.com/mozilla/standards-positions/issues/723 )*WebKit*: Positive ( https://github.com/WebKit/standards-positions/issues/114)*Web developers*: No signals WebView application risks N/A Debuggability N/A Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes. See https://wpt.fyi/results/content-security-policy/resource-hints Flag nameResourceHintsLeastRestrictiveCSP Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1406444 Estimated milestones 112 Anticipated spec changes No known open issues Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5553640629075968 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com.
