Hi blink-dev, This Intent to Ship is a bit unusual because we accidentally launched this change in M110, and are now properly going through the Intent to Ship process.
Here is the Intent, and let us know if there's anything else we should do to handle this unusual situation: We already modify our workflow to track each launch process closely with our TPM so to avoid this kind of mistakes in the future. Contact emails [email protected] Specification https://wicg.github.io/nav-speculation/speculation-rules.html https://github.com/WICG/nav-speculation/pull/213 https://github.com/WICG/nav-speculation/pull/245 Summary Speculation rules are inlined in script tags, but their use will be restricted by Content Security Policy as unsafe inline scripts even if the speculation rules are safe. So, we extend the Content Security Policy to have a new source keyword, ‘inline-speculation-rules’, for inline uses of speculation rules. With this new keyword, we can permit inline speculation rules without permitting inline scripts. Blink component Blink>SecurityFeature>ContentSecurityPolicy <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> TAG review https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1461312356 TAG review status On going as a delta for Speculation Rules (Prefetch) <https://github.com/w3ctag/design-reviews/issues/721> Risks Interoperability and Compatibility Gecko: No signal <https://github.com/mozilla/standards-positions/issues/620> WebKit: No signal <https://github.com/WebKit/standards-positions/issues/54> Web developers: We heard positive feedback from partners as there was no handy approach to permit speculation rules without allowing unsafe inline scripts. Other signals: WebView application risks No incompatible change for existing APIs. Debuggability DevTools show proper warning messages as we do for other CSP violations. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes, in speculation-rules/prerender/csp-script-src-* Flag name N/A (base::Feature is network::features::kPrerender2ContentSecurityPolicyExtensions) Requires code in //chrome? False for web exposed changes, but have a small change in chrome/browser/extensions/ to support it in Chrome Extensions too. Estimated milestones 110 Anticipated spec changes No specific concern. Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5182859125456896 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- Takashi Toyoshima Software Engineer, Google -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFWCB1n7ON2v4Vv%2BYfvk%3DMt5g7zY62eGoy53HKrPzAHp1C1sMw%40mail.gmail.com.
