LGTM2 On Wed, Feb 15, 2023 at 9:58 AM Yoav Weiss <yoavwe...@chromium.org> wrote:
> LGTM1 > > Thanks for cleaning this up and landing on a solution that's ideal for > developers (as CSP for prefetches would Just Work™, based on their other > directives). > > On Wed, Feb 15, 2023 at 11:53 AM Noam Rosenthal <nrosent...@chromium.org> > wrote: > >> Contact emailsnrosent...@chromium.org >> >> Specification >> https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy >> >> Summary >> >> A replacement for the `prefetch-src` directive, which never got traction >> and was recently removed. Instead of relying on a bespoke CSP directive, >> <link rel=prefetch> (and later preconnect/dns-prefetch) would be allowed if >> *any* directive in the policy would allow fetching this URL for any reason. >> This is because prefetching/preconnecting does not actually do anything >> with the resource, but only fetches it for a later reason. This allows >> developers to use resource hints without needing to tweak their content >> security policy, while giving a tool to prevent exfiltration by having >> default-src block prefetches. For example: default-src * default-src 'none' >> script-src * would allow prefetch While `default-src 'none'` would not. >> >> >> Blink componentBlink>SecurityFeature>ContentSecurityPolicy >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> >> >> TAG review >> >> TAG review statusNot applicable >> >> RisksThe impact of this would be that pages with a very restrictive CSP >> (e.g. `default-src: 'none' with nothing else)` will not allow >> prefetches,causing >> a slight performance hit if they were relying on those prefetches.This >> is the intended consequence though, as now those pages can prevent >> exfiltration via prefetch. >> >> Interoperability and Compatibility >> *Gecko*: Positive ( >> https://github.com/mozilla/standards-positions/issues/723)*WebKit*: >> Positive (https://github.com/WebKit/standards-positions/issues/114)*Web >> developers*: No signals >> WebView application risks >> N/A >> >> Debuggability >> >> N/A >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)?Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes. See https://wpt.fyi/results/content-security-policy/resource-hints >> >> Flag nameResourceHintsLeastRestrictiveCSP >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1406444 >> >> Estimated milestones >> >> 112 >> >> >> Anticipated spec changes >> >> No known open issues >> >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5553640629075968 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUHUQxsnysa9HJderSPRLLZ4Xa_vKO-bk9J_nQ9xi2t6w%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUHUQxsnysa9HJderSPRLLZ4Xa_vKO-bk9J_nQ9xi2t6w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKNNSBnZePwBd4M_3dCcm5tMHOys4v0QUwqCRz0RfM8MMK-eUw%40mail.gmail.com.
