Got it, thanks for confirming Domenic.
LGTM2
On 10/9/24 2:10 AM, Yoav Weiss (@Shopify) wrote:
LGTM1
I agree that this is a web-exposed bug fix, and that the likelihood of
negative impact here at this stage of the feature's life is slim.
On Wednesday, October 9, 2024 at 4:44:10 AM UTC+2 Domenic Denicola wrote:
(Note: feature owner hat on, API owner hat off.)
On Wed, Oct 9, 2024 at 11:24 AM Mike Taylor
<miketa...@chromium.org> wrote:
On 10/8/24 1:05 PM, Liviu Tinta wrote:
Contact emails
dome...@chromium.org, jbro...@chromium.org
<mailto:jbro...@chromium.org>,
liviuti...@chromium.org <mailto:liviuti...@chromium.org>
Explainer
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
<https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss>
Specification
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
<https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss>
Summary
This is somewhat of a bug-fix, but it's a web-exposed
bug fix which deserves full web platform security
review, so we're using the Intent to Ship process.
When we initially shipped the Speculation-Rules
header, we reused much of the architecture from the
<script type=speculationrules> implementation, and
thus it was blocked by CSP policies that blocked
<script> elements. This has caused some friction
among web developers adopting the Speculation-Rules
header, who expected CSP to only apply to <script>s.
After consulting with Google and Chrome security
teams, we realized our initial implementation was a
mistake, as CSP's script policies are meant to
protect against injection of scripts into HTML, and
the CSP threat model doesn't relate to HTTP headers.
As such, we're updating the integration between
speculation rules and CSP so that CSP only applies to
<script type=speculationrules>, and not to the
Speculation-Rules header.
Blink component
Internals>Preload
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EPreload>
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
Are there failure modes/compat implications y'all can think of
by us sending the header where it was previously blocked? I
can't think of anything, but you've probably thought about
this for much longer than I have over the past 5 mins.
This actually doesn't send any new headers. The website is sending
the Speculation-Rules request header to us, the browser. The
question is whether the browser then processes it, and proceeds
with performing speculative loads. So I guess the question is, are
there any failure modes/compat implications of doing new
speculative loads which were previously blocked?
We're pretty confident there are no such compat implications:
* On a general level, speculative loading is a progressive
enhancement. Sites that try to use it are coded to be
resilient to it happening, or not.
* On a specific level, somewhere very close to 100% of the usage
of the Speculation-Rules header comes from Cloudflare's recent
Speed Brain launch, and we know that they are prepared for this.
/Gecko/: N/A
/WebKit/: N/A
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?
This feature changes the behavior of existing APIs.
The Finch killswitch is
ExemptSpeculationRulesHeaderFromCSP.
Debuggability
Developers can check if the speculation rules
specified via Speculation-Rules header, in the
presence of a strict Content-Security-Policy is
loaded successfully in DevTools via existing CSP
DevTools support.
Will this feature be supported on all six Blink
platforms (Windows, Mac, Linux, ChromeOS, Android,
and Android WebView)?
No
Is WebView the outlier here?
Yes.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned
<https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned>
Flag name on chrome://flags
None
Finch feature name
ExemptSpeculationRulesHeaderFromCSP
Requires code in //chrome?
False
Measurement
https://chromestatus.com/metrics/feature/timeline/popularity/4394
<https://chromestatus.com/metrics/feature/timeline/popularity/4394>
Availability expectation
Feature is available only in Chromium browsers for
the foreseeable future.
Adoption expectation
Feature is used by specific partner(s) to provide
functionality within 12 months of launch in Chrome.
Adoption plan
Speculation-Rules header was adopted by Cloudflare
for the Product Speed Brain:
https://developers.cloudflare.com/speed/optimization/content/speed-brain/
<https://developers.cloudflare.com/speed/optimization/content/speed-brain/>
Non-OSS dependencies
Does the feature depend on any code or APIs outside
the Chromium open source repository and its
open-source dependencies to function?
No.
Estimated milestones
Shipping on desktop 131
Shipping on Android 131
Shipping on WebView 131
Anticipated spec changes
Open questions about a feature may be a source of
future web compat or interop issues. Please list open
issues (e.g. links to known github issues in the
project for the feature specification) whose
resolution may introduce web compat/interop risk
(e.g., changing to naming or structure of the API in
a non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5123809745829888?gate=5122300803022848
<https://chromestatus.com/feature/5123809745829888?gate=5122300803022848>
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+unsubscr...@chromium.org
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+unsubscr...@chromium.org
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/92ec918f-5831-479e-b5b4-3a7dd27fe709%40chromium.org.
