+Jason Robbins <[email protected]> - another one that our tooling missed..
This intent seems to be missing a lot of the typical fields intents have, which makes it hard to review that all the checkboxes are properly filled. Can you maybe resend it based on the Chromestatus template? On Sun, Feb 5, 2023 at 7:50 AM Noam Rosenthal <[email protected]> wrote: > As part of the effort to make prefetch interoperable, we have recently > changed the CSP spec, where there is no more prefetch-src. Instead, > prefetch uses the "least restrictive directive" - any directive can allow > CSP and by default it goes to default-src. > > This allows using default-src to prevent exfiltration, while not > introducing new hoops devs have to jump through to enable prefetching - if > you enable any fetch for a URL, you can also prefetch it. > > Spec: https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy > > The intent is to: > - Remove the prefetch-src code > - Introduce the new behavior behind a flag, and go through the I2S process > with it later on. > > *Some notes about this:* > - Apple has recently implemented prefetch-src support in WebKit. However, > this support is purely hypothetical because they don't support prefetching > yet. We spoke with them and they are aligned with this change. > - prefetch-src was never *officially* shipped, however the runtime flag > protection was removed by mistake in 2021, so it silently shipped. The > consequence of removing it would be that some prefetches that were > disallowed by prefetch-src (there is some minor usage of prefetch-src in > the wild even though it was never shipped), would now be allowed until the > new flag is enabled (the previous "official" behavior was that prefetches > are not CSP-protected). > > We can alternatively add a deprecation flag for prefetch-src and keep both > code-paths, but I wonder if that's worth the hassle since, as mentioned > before, it was never officially shipped and its removal would have only > minor effects that are not "breaking". > > Link to prefetch-src: https://chromestatus.com/feature/4607623783514112 > Link to new behavior: https://chromestatus.com/feature/5553640629075968 > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWUqJb%2B2TCQf3%2BhQ5jEgZOdA_BMwQgXVZ2Fp4CddGO%2BsQ%40mail.gmail.com.
