On 10/8/24 1:05 PM, Liviu Tinta wrote:
Contact emails
dome...@chromium.org, jbro...@chromium.org,
liviuti...@chromium.org
Explainer
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Specification
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Summary
This is somewhat of a bug-fix, but it's a web-exposed bug fix
which deserves full web platform security review, so we're
using the Intent to Ship process. When we initially shipped
the Speculation-Rules header, we reused much of the
architecture from the <script type=speculationrules>
implementation, and thus it was blocked by CSP policies that
blocked <script> elements. This has caused some friction among
web developers adopting the Speculation-Rules header, who
expected CSP to only apply to <script>s. After consulting with
Google and Chrome security teams, we realized our initial
implementation was a mistake, as CSP's script policies are
meant to protect against injection of scripts into HTML, and
the CSP threat model doesn't relate to HTTP headers. As such,
we're updating the integration between speculation rules and
CSP so that CSP only applies to <script
type=speculationrules>, and not to the Speculation-Rules header.
Blink component
Internals>Preload
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EPreload>
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
Are there failure modes/compat implications y'all can think of by us
sending the header where it was previously blocked? I can't think of
anything, but you've probably thought about this for much longer than I
have over the past 5 mins.
/Gecko/: N/A
/WebKit/: N/A
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of existing
APIs, such that it has potentially high risk for Android
WebView-based applications?
This feature changes the behavior of existing APIs. The Finch
killswitch is ExemptSpeculationRulesHeaderFromCSP.
Debuggability
Developers can check if the speculation rules specified via
Speculation-Rules header, in the presence of a strict
Content-Security-Policy is loaded successfully in DevTools via
existing CSP DevTools support.
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
Is WebView the outlier here?
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned
<https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned>
Flag name on chrome://flags
None
Finch feature name
ExemptSpeculationRulesHeaderFromCSP
Requires code in //chrome?
False
Measurement
https://chromestatus.com/metrics/feature/timeline/popularity/4394
Availability expectation
Feature is available only in Chromium browsers for the
foreseeable future.
Adoption expectation
Feature is used by specific partner(s) to provide
functionality within 12 months of launch in Chrome.
Adoption plan
Speculation-Rules header was adopted by Cloudflare for the
Product Speed Brain:
https://developers.cloudflare.com/speed/optimization/content/speed-brain/
Non-OSS dependencies
Does the feature depend on any code or APIs outside the
Chromium open source repository and its open-source
dependencies to function?
No.
Estimated milestones
Shipping on desktop 131
Shipping on Android 131
Shipping on WebView 131
Anticipated spec changes
Open questions about a feature may be a source of future web
compat or interop issues. Please list open issues (e.g. links
to known github issues in the project for the feature
specification) whose resolution may introduce web
compat/interop risk (e.g., changing to naming or structure of
the API in a non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5123809745829888?gate=5122300803022848
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org.
