LGTM3, thanks for making this change visible. On Mon, Mar 13, 2023 at 11:42 PM TAMURA, Kent <tk...@chromium.org> wrote:
> LGTM2. > I agree with Yoav. > > > On Mon, Mar 13, 2023 at 6:59 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> LGTM1. This seems like a reasonable, compatible addition which doesn't >> modify the interop risk calculus. >> >> On Thu, Mar 9, 2023 at 2:26 PM 'Takashi Toyoshima' via blink-dev < >> blink-dev@chromium.org> wrote: >> >>> Hi blink-dev, >>> This Intent to Ship is a bit unusual because we accidentally launched >>> this change in M110, and are now properly going through the Intent to Ship >>> process. >>> >>> Here is the Intent, and let us know if there's anything else we should >>> do to handle this unusual situation: >>> We already modify our workflow to track each launch process closely with >>> our TPM so to avoid this kind of mistakes in the future. >>> >> >> Thanks for catching that and aligning your workflows to prevent future >> web exposed changes from bypassing the process. >> >> >>> >>> Contact emails >>> >>> toyos...@chromium.org >>> >>> Specification >>> >>> https://wicg.github.io/nav-speculation/speculation-rules.html >>> >>> https://github.com/WICG/nav-speculation/pull/213 >>> >>> https://github.com/WICG/nav-speculation/pull/245 >>> >>> Summary >>> >>> Speculation rules are inlined in script tags, but their use will be >>> restricted by Content Security Policy as unsafe inline scripts even if the >>> speculation rules are safe. >>> >>> So, we extend the Content Security Policy to have a new source keyword, >>> ‘inline-speculation-rules’, for inline uses of speculation rules. With this >>> new keyword, we can permit inline speculation rules without permitting >>> inline scripts. >>> >>> >>> Blink component >>> >>> Blink>SecurityFeature>ContentSecurityPolicy >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> >>> >>> TAG review >>> >>> >>> https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1461312356 >>> >>> TAG review status >>> >>> On going as a delta for Speculation Rules (Prefetch) >>> <https://github.com/w3ctag/design-reviews/issues/721> >>> >>> Risks >>> >>> Interoperability and Compatibility >>> >>> Gecko: No signal >>> <https://github.com/mozilla/standards-positions/issues/620> >>> >>> WebKit: No signal >>> <https://github.com/WebKit/standards-positions/issues/54> >>> >>> Web developers: We heard positive feedback from partners as there was >>> no handy approach to permit speculation rules without allowing unsafe >>> inline scripts. >>> >>> Other signals: >>> >>> WebView application risks >>> >>> No incompatible change for existing APIs. >>> >>> >>> Debuggability >>> >>> DevTools show proper warning messages as we do for other CSP violations. >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)? >>> >>> Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? >>> >>> Yes, in speculation-rules/prerender/csp-script-src-* >>> >>> Flag name >>> >>> N/A >>> (base::Feature is >>> network::features::kPrerender2ContentSecurityPolicyExtensions) >>> >>> Requires code in //chrome? >>> >>> False for web exposed changes, but have a small change in >>> chrome/browser/extensions/ to support it in Chrome Extensions too. >>> >>> Estimated milestones >>> >>> 110 >>> >>> Anticipated spec changes >>> >>> No specific concern. >>> >>> Link to entry on the Chrome Platform Status >>> >>> https://chromestatus.com/feature/5182859125456896 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> -- >>> Takashi Toyoshima >>> Software Engineer, Google >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFWCB1n7ON2v4Vv%2BYfvk%3DMt5g7zY62eGoy53HKrPzAHp1C1sMw%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFWCB1n7ON2v4Vv%2BYfvk%3DMt5g7zY62eGoy53HKrPzAHp1C1sMw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUsKocFhZstwhy5S-nuawDC_3unUpCgOT1fc%3Dz1Uf3fKg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUsKocFhZstwhy5S-nuawDC_3unUpCgOT1fc%3Dz1Uf3fKg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > TAMURA Kent > Software Engineer, Google > > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGH7WqEkunFoxs5pq5wFrHaABtq76XhxL2pNUweWcoi8SYDoqg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGH7WqEkunFoxs5pq5wFrHaABtq76XhxL2pNUweWcoi8SYDoqg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYe3GKEe4bvNfgJ1EFjv96_hNtBTO%2BSpqzYxELCqJP5aUg%40mail.gmail.com.