Cool! Apologies for the noise! :) On Fri, Feb 17, 2023 at 10:49 AM Noam Rosenthal <[email protected]> wrote:
> > > On Fri, Feb 17, 2023 at 10:02 AM Yoav Weiss <[email protected]> > wrote: > >> +Jason Robbins <[email protected]> - another one that our tooling >> missed.. >> >> This intent seems to be missing a lot of the typical fields intents have, >> which makes it hard to review that all the checkboxes are properly filled. >> Can you maybe resend it based on the Chromestatus template? >> > > I've done that already last week and it was LGTMed :) > > >> >> On Sun, Feb 5, 2023 at 7:50 AM Noam Rosenthal <[email protected]> >> wrote: >> >>> As part of the effort to make prefetch interoperable, we have recently >>> changed the CSP spec, where there is no more prefetch-src. Instead, >>> prefetch uses the "least restrictive directive" - any directive can allow >>> CSP and by default it goes to default-src. >>> >>> This allows using default-src to prevent exfiltration, while not >>> introducing new hoops devs have to jump through to enable prefetching - if >>> you enable any fetch for a URL, you can also prefetch it. >>> >>> Spec: https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy >>> >>> The intent is to: >>> - Remove the prefetch-src code >>> - Introduce the new behavior behind a flag, and go through the I2S >>> process with it later on. >>> >>> *Some notes about this:* >>> - Apple has recently implemented prefetch-src support in WebKit. >>> However, this support is purely hypothetical because they don't support >>> prefetching yet. We spoke with them and they are aligned with this change. >>> - prefetch-src was never *officially* shipped, however the runtime flag >>> protection was removed by mistake in 2021, so it silently shipped. The >>> consequence of removing it would be that some prefetches that were >>> disallowed by prefetch-src (there is some minor usage of prefetch-src in >>> the wild even though it was never shipped), would now be allowed until the >>> new flag is enabled (the previous "official" behavior was that prefetches >>> are not CSP-protected). >>> >>> We can alternatively add a deprecation flag for prefetch-src and keep >>> both code-paths, but I wonder if that's worth the hassle since, as >>> mentioned before, it was never officially shipped and its removal would >>> have only minor effects that are not "breaking". >>> >>> Link to prefetch-src: https://chromestatus.com/feature/4607623783514112 >>> Link to new behavior: https://chromestatus.com/feature/5553640629075968 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfV4XcB9u6X3_EH8NHfAfbGh-sNX29GZk6arBj-Wwn5qDw%40mail.gmail.com.
