Contact emailsdome...@chromium.org, jbro...@chromium.org, liviuti...@chromium.org
Explainer https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss Specification https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss Summary This is somewhat of a bug-fix, but it's a web-exposed bug fix which deserves full web platform security review, so we're using the Intent to Ship process. When we initially shipped the Speculation-Rules header, we reused much of the architecture from the <script type=speculationrules> implementation, and thus it was blocked by CSP policies that blocked <script> elements. This has caused some friction among web developers adopting the Speculation-Rules header, who expected CSP to only apply to <script>s. After consulting with Google and Chrome security teams, we realized our initial implementation was a mistake, as CSP's script policies are meant to protect against injection of scripts into HTML, and the CSP threat model doesn't relate to HTTP headers. As such, we're updating the integration between speculation rules and CSP so that CSP only applies to <script type=speculationrules>, and not to the Speculation-Rules header. Blink componentInternals>Preload <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EPreload> TAG reviewNone TAG review statusNot applicable Risks Interoperability and Compatibility None *Gecko*: N/A *WebKit*: N/A *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? This feature changes the behavior of existing APIs. The Finch killswitch is ExemptSpeculationRulesHeaderFromCSP. Debuggability Developers can check if the speculation rules specified via Speculation-Rules header, in the presence of a strict Content-Security-Policy is loaded successfully in DevTools via existing CSP DevTools support. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?No Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned Flag name on chrome://flagsNone Finch feature nameExemptSpeculationRulesHeaderFromCSP Requires code in //chrome?False Measurementhttps://chromestatus.com/metrics/feature/timeline/popularity/4394 Availability expectationFeature is available only in Chromium browsers for the foreseeable future. Adoption expectationFeature is used by specific partner(s) to provide functionality within 12 months of launch in Chrome. Adoption planSpeculation-Rules header was adopted by Cloudflare for the Product Speed Brain: https://developers.cloudflare.com/speed/optimization/content/speed-brain/ Non-OSS dependencies Does the feature depend on any code or APIs outside the Chromium open source repository and its open-source dependencies to function? No. Estimated milestones Shipping on desktop 131 Shipping on Android 131 Shipping on WebView 131 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5123809745829888?gate=5122300803022848 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com.
