LGTM1 Thanks for cleaning this up and landing on a solution that's ideal for developers (as CSP for prefetches would Just Work™, based on their other directives).
On Wed, Feb 15, 2023 at 11:53 AM Noam Rosenthal <nrosent...@chromium.org> wrote: > Contact emailsnrosent...@chromium.org > > Specificationhttps://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy > > Summary > > A replacement for the `prefetch-src` directive, which never got traction > and was recently removed. Instead of relying on a bespoke CSP directive, > <link rel=prefetch> (and later preconnect/dns-prefetch) would be allowed if > *any* directive in the policy would allow fetching this URL for any reason. > This is because prefetching/preconnecting does not actually do anything > with the resource, but only fetches it for a later reason. This allows > developers to use resource hints without needing to tweak their content > security policy, while giving a tool to prevent exfiltration by having > default-src block prefetches. For example: default-src * default-src 'none' > script-src * would allow prefetch While `default-src 'none'` would not. > > > Blink componentBlink>SecurityFeature>ContentSecurityPolicy > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> > > TAG review > > TAG review statusNot applicable > > RisksThe impact of this would be that pages with a very restrictive CSP > (e.g. `default-src: 'none' with nothing else)` will not allow > prefetches,causing > a slight performance hit if they were relying on those prefetches.This is > the intended consequence though, as now those pages can prevent > exfiltration via prefetch. > > Interoperability and Compatibility > *Gecko*: Positive ( > https://github.com/mozilla/standards-positions/issues/723)*WebKit*: > Positive (https://github.com/WebKit/standards-positions/issues/114)*Web > developers*: No signals > WebView application risks > N/A > > Debuggability > > N/A > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes. See https://wpt.fyi/results/content-security-policy/resource-hints > > Flag nameResourceHintsLeastRestrictiveCSP > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1406444 > > Estimated milestones > > 112 > > > Anticipated spec changes > > No known open issues > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5553640629075968 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUHUQxsnysa9HJderSPRLLZ4Xa_vKO-bk9J_nQ9xi2t6w%40mail.gmail.com.
