LGTM1 I agree that this is a web-exposed bug fix, and that the likelihood of negative impact here at this stage of the feature's life is slim.
On Wednesday, October 9, 2024 at 4:44:10 AM UTC+2 Domenic Denicola wrote: > (Note: feature owner hat on, API owner hat off.) > > On Wed, Oct 9, 2024 at 11:24 AM Mike Taylor <miketa...@chromium.org> > wrote: > >> >> On 10/8/24 1:05 PM, Liviu Tinta wrote: >> >> Contact emails dome...@chromium.org, jbro...@chromium.org, >> liviuti...@chromium.org >> >> Explainer >> https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss >> >> Specification >> https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss >> >> Summary >> >> This is somewhat of a bug-fix, but it's a web-exposed bug fix which >> deserves full web platform security review, so we're using the Intent to >> Ship process. When we initially shipped the Speculation-Rules header, we >> reused much of the architecture from the <script type=speculationrules> >> implementation, and thus it was blocked by CSP policies that blocked >> <script> elements. This has caused some friction among web developers >> adopting the Speculation-Rules header, who expected CSP to only apply to >> <script>s. After consulting with Google and Chrome security teams, we >> realized our initial implementation was a mistake, as CSP's script policies >> are meant to protect against injection of scripts into HTML, and the CSP >> threat model doesn't relate to HTTP headers. As such, we're updating the >> integration between speculation rules and CSP so that CSP only applies to >> <script type=speculationrules>, and not to the Speculation-Rules header. >> >> >> Blink component Internals>Preload >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EPreload> >> >> TAG review None >> >> TAG review status Not applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> None >> >> Are there failure modes/compat implications y'all can think of by us >> sending the header where it was previously blocked? I can't think of >> anything, but you've probably thought about this for much longer than I >> have over the past 5 mins. >> > > This actually doesn't send any new headers. The website is sending the > Speculation-Rules request header to us, the browser. The question is > whether the browser then processes it, and proceeds with performing > speculative loads. So I guess the question is, are there any failure > modes/compat implications of doing new speculative loads which were > previously blocked? > > We're pretty confident there are no such compat implications: > > - On a general level, speculative loading is a progressive > enhancement. Sites that try to use it are coded to be resilient to it > happening, or not. > - On a specific level, somewhere very close to 100% of the usage of > the Speculation-Rules header comes from Cloudflare's recent Speed Brain > launch, and we know that they are prepared for this. > > > >> >> >> >> *Gecko*: N/A >> >> *WebKit*: N/A >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> This feature changes the behavior of existing APIs. The Finch killswitch >> is ExemptSpeculationRulesHeaderFromCSP. >> >> >> Debuggability >> >> Developers can check if the speculation rules specified via >> Speculation-Rules header, in the presence of a strict >> Content-Security-Policy is loaded successfully in DevTools via existing CSP >> DevTools support. >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? No >> >> Is WebView the outlier here? >> > > Yes. > > >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? Yes >> >> >> https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned >> >> >> Flag name on chrome://flags None >> >> Finch feature name ExemptSpeculationRulesHeaderFromCSP >> >> Requires code in //chrome? False >> >> Measurement >> https://chromestatus.com/metrics/feature/timeline/popularity/4394 >> >> Availability expectation Feature is available only in Chromium browsers >> for the foreseeable future. >> >> Adoption expectation Feature is used by specific partner(s) to provide >> functionality within 12 months of launch in Chrome. >> >> Adoption plan Speculation-Rules header was adopted by Cloudflare for the >> Product Speed Brain: >> https://developers.cloudflare.com/speed/optimization/content/speed-brain/ >> >> Non-OSS dependencies >> >> Does the feature depend on any code or APIs outside the Chromium open >> source repository and its open-source dependencies to function? >> No. >> >> Estimated milestones >> Shipping on desktop 131 >> Shipping on Android 131 >> Shipping on WebView 131 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> None >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5123809745829888?gate=5122300803022848 >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> > To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2af9355e-f25a-4304-b15f-27541b79b1fbn%40chromium.org.
