LGTM3 On Wed, Feb 22, 2023 at 8:07 AM Noam Rosenthal <nrosent...@chromium.org> wrote:
> Anyone for a LGTM3? :) > > On Wed, Feb 15, 2023 at 6:24 PM Mike Taylor <miketa...@chromium.org> > wrote: > >> LGTM2 >> >> On Wed, Feb 15, 2023 at 9:58 AM Yoav Weiss <yoavwe...@chromium.org> >> wrote: >> >>> LGTM1 >>> >>> Thanks for cleaning this up and landing on a solution that's ideal for >>> developers (as CSP for prefetches would Just Work™, based on their other >>> directives). >>> >>> On Wed, Feb 15, 2023 at 11:53 AM Noam Rosenthal <nrosent...@chromium.org> >>> wrote: >>> >>>> Contact emailsnrosent...@chromium.org >>>> >>>> Specification >>>> https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy >>>> >>>> Summary >>>> >>>> A replacement for the `prefetch-src` directive, which never got >>>> traction and was recently removed. Instead of relying on a bespoke CSP >>>> directive, <link rel=prefetch> (and later preconnect/dns-prefetch) would be >>>> allowed if *any* directive in the policy would allow fetching this URL for >>>> any reason. This is because prefetching/preconnecting does not actually do >>>> anything with the resource, but only fetches it for a later reason. This >>>> allows developers to use resource hints without needing to tweak their >>>> content security policy, while giving a tool to prevent exfiltration by >>>> having default-src block prefetches. For example: default-src * default-src >>>> 'none' script-src * would allow prefetch While `default-src 'none'` would >>>> not. >>>> >>>> >>>> Blink componentBlink>SecurityFeature>ContentSecurityPolicy >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> >>>> >>>> TAG review >>>> >>>> TAG review statusNot applicable >>>> >>>> RisksThe impact of this would be that pages with a very restrictive >>>> CSP (e.g. `default-src: 'none' with nothing else)` will not allow >>>> prefetches,causing a slight performance hit if they were relying on >>>> those prefetches.This is the intended consequence though, as now those >>>> pages can prevent exfiltration via prefetch. >>>> >>>> Interoperability and Compatibility >>>> *Gecko*: Positive ( >>>> https://github.com/mozilla/standards-positions/issues/723)*WebKit*: >>>> Positive (https://github.com/WebKit/standards-positions/issues/114)*Web >>>> developers*: No signals >>>> WebView application risks >>>> N/A >>>> >>>> Debuggability >>>> >>>> N/A >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?Yes. See >>>> https://wpt.fyi/results/content-security-policy/resource-hints >>>> >>>> Flag nameResourceHintsLeastRestrictiveCSP >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bug >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1406444 >>>> >>>> Estimated milestones >>>> >>>> 112 >>>> >>>> >>>> Anticipated spec changes >>>> >>>> No known open issues >>>> >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5553640629075968 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUHUQxsnysa9HJderSPRLLZ4Xa_vKO-bk9J_nQ9xi2t6w%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUHUQxsnysa9HJderSPRLLZ4Xa_vKO-bk9J_nQ9xi2t6w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbvVH_daeStxwBW6pgMuVY6o2Y39TfiESvWz1jBQJm5Lg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbvVH_daeStxwBW6pgMuVY6o2Y39TfiESvWz1jBQJm5Lg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYevjEv90RQbBJtDdViMb9%3DzuZ2-CrmZ7kYficGFxy5a_g%40mail.gmail.com.
