(Note: feature owner hat on, API owner hat off.) On Wed, Oct 9, 2024 at 11:24 AM Mike Taylor <miketa...@chromium.org> wrote:
> > On 10/8/24 1:05 PM, Liviu Tinta wrote: > > Contact emails dome...@chromium.org, jbro...@chromium.org, > liviuti...@chromium.org > > Explainer > https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss > > Specification > https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss > > Summary > > This is somewhat of a bug-fix, but it's a web-exposed bug fix which > deserves full web platform security review, so we're using the Intent to > Ship process. When we initially shipped the Speculation-Rules header, we > reused much of the architecture from the <script type=speculationrules> > implementation, and thus it was blocked by CSP policies that blocked > <script> elements. This has caused some friction among web developers > adopting the Speculation-Rules header, who expected CSP to only apply to > <script>s. After consulting with Google and Chrome security teams, we > realized our initial implementation was a mistake, as CSP's script policies > are meant to protect against injection of scripts into HTML, and the CSP > threat model doesn't relate to HTTP headers. As such, we're updating the > integration between speculation rules and CSP so that CSP only applies to > <script type=speculationrules>, and not to the Speculation-Rules header. > > > Blink component Internals>Preload > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EPreload> > > TAG review None > > TAG review status Not applicable > > Risks > > > Interoperability and Compatibility > > None > > Are there failure modes/compat implications y'all can think of by us > sending the header where it was previously blocked? I can't think of > anything, but you've probably thought about this for much longer than I > have over the past 5 mins. > This actually doesn't send any new headers. The website is sending the Speculation-Rules request header to us, the browser. The question is whether the browser then processes it, and proceeds with performing speculative loads. So I guess the question is, are there any failure modes/compat implications of doing new speculative loads which were previously blocked? We're pretty confident there are no such compat implications: - On a general level, speculative loading is a progressive enhancement. Sites that try to use it are coded to be resilient to it happening, or not. - On a specific level, somewhere very close to 100% of the usage of the Speculation-Rules header comes from Cloudflare's recent Speed Brain launch, and we know that they are prepared for this. > > > > *Gecko*: N/A > > *WebKit*: N/A > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > This feature changes the behavior of existing APIs. The Finch killswitch > is ExemptSpeculationRulesHeaderFromCSP. > > > Debuggability > > Developers can check if the speculation rules specified via > Speculation-Rules header, in the presence of a strict > Content-Security-Policy is loaded successfully in DevTools via existing CSP > DevTools support. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? No > > Is WebView the outlier here? > Yes. > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? Yes > > > https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned > > > Flag name on chrome://flags None > > Finch feature name ExemptSpeculationRulesHeaderFromCSP > > Requires code in //chrome? False > > Measurement > https://chromestatus.com/metrics/feature/timeline/popularity/4394 > > Availability expectation Feature is available only in Chromium browsers > for the foreseeable future. > > Adoption expectation Feature is used by specific partner(s) to provide > functionality within 12 months of launch in Chrome. > > Adoption plan Speculation-Rules header was adopted by Cloudflare for the > Product Speed Brain: > https://developers.cloudflare.com/speed/optimization/content/speed-brain/ > > Non-OSS dependencies > > Does the feature depend on any code or APIs outside the Chromium open > source repository and its open-source dependencies to function? > No. > > Estimated milestones > Shipping on desktop 131 > Shipping on Android 131 > Shipping on WebView 131 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > None > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5123809745829888?gate=5122300803022848 > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8YKGbVd26Ya9v9m0sp%3DE41MYEPaymn9nTqUhpXYind_A%40mail.gmail.com.
