LGTM3 On Wed, Oct 9, 2024 at 10:30 AM Mike Taylor <miketa...@chromium.org> wrote:
> Got it, thanks for confirming Domenic. > > LGTM2 > On 10/9/24 2:10 AM, Yoav Weiss (@Shopify) wrote: > > LGTM1 > > I agree that this is a web-exposed bug fix, and that the likelihood of > negative impact here at this stage of the feature's life is slim. > > On Wednesday, October 9, 2024 at 4:44:10 AM UTC+2 Domenic Denicola wrote: > >> (Note: feature owner hat on, API owner hat off.) >> >> On Wed, Oct 9, 2024 at 11:24 AM Mike Taylor <miketa...@chromium.org> >> wrote: >> >>> >>> On 10/8/24 1:05 PM, Liviu Tinta wrote: >>> >>> Contact emails dome...@chromium.org, jbro...@chromium.org, >>> liviuti...@chromium.org >>> >>> Explainer >>> https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss >>> >>> Specification >>> https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss >>> >>> Summary >>> >>> This is somewhat of a bug-fix, but it's a web-exposed bug fix which >>> deserves full web platform security review, so we're using the Intent to >>> Ship process. When we initially shipped the Speculation-Rules header, we >>> reused much of the architecture from the <script type=speculationrules> >>> implementation, and thus it was blocked by CSP policies that blocked >>> <script> elements. This has caused some friction among web developers >>> adopting the Speculation-Rules header, who expected CSP to only apply to >>> <script>s. After consulting with Google and Chrome security teams, we >>> realized our initial implementation was a mistake, as CSP's script policies >>> are meant to protect against injection of scripts into HTML, and the CSP >>> threat model doesn't relate to HTTP headers. As such, we're updating the >>> integration between speculation rules and CSP so that CSP only applies to >>> <script type=speculationrules>, and not to the Speculation-Rules header. >>> >>> >>> Blink component Internals>Preload >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3EPreload> >>> >>> TAG review None >>> >>> TAG review status Not applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> None >>> >>> Are there failure modes/compat implications y'all can think of by us >>> sending the header where it was previously blocked? I can't think of >>> anything, but you've probably thought about this for much longer than I >>> have over the past 5 mins. >>> >> >> This actually doesn't send any new headers. The website is sending the >> Speculation-Rules request header to us, the browser. The question is >> whether the browser then processes it, and proceeds with performing >> speculative loads. So I guess the question is, are there any failure >> modes/compat implications of doing new speculative loads which were >> previously blocked? >> >> We're pretty confident there are no such compat implications: >> >> - On a general level, speculative loading is a progressive >> enhancement. Sites that try to use it are coded to be resilient to it >> happening, or not. >> - On a specific level, somewhere very close to 100% of the usage of >> the Speculation-Rules header comes from Cloudflare's recent Speed Brain >> launch, and we know that they are prepared for this. >> >> >> >>> >>> >>> >>> *Gecko*: N/A >>> >>> *WebKit*: N/A >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> This feature changes the behavior of existing APIs. The Finch killswitch >>> is ExemptSpeculationRulesHeaderFromCSP. >>> >>> >>> Debuggability >>> >>> Developers can check if the speculation rules specified via >>> Speculation-Rules header, in the presence of a strict >>> Content-Security-Policy is loaded successfully in DevTools via existing CSP >>> DevTools support. >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, ChromeOS, Android, and Android WebView)? No >>> >>> Is WebView the outlier here? >>> >> >> Yes. >> >> >>> >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? Yes >>> >>> >>> https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned >>> >>> >>> Flag name on chrome://flags None >>> >>> Finch feature name ExemptSpeculationRulesHeaderFromCSP >>> >>> Requires code in //chrome? False >>> >>> Measurement >>> https://chromestatus.com/metrics/feature/timeline/popularity/4394 >>> >>> Availability expectation Feature is available only in Chromium browsers >>> for the foreseeable future. >>> >>> Adoption expectation Feature is used by specific partner(s) to provide >>> functionality within 12 months of launch in Chrome. >>> >>> Adoption plan Speculation-Rules header was adopted by Cloudflare for >>> the Product Speed Brain: >>> https://developers.cloudflare.com/speed/optimization/content/speed-brain/ >>> >>> Non-OSS dependencies >>> >>> Does the feature depend on any code or APIs outside the Chromium open >>> source repository and its open-source dependencies to function? >>> No. >>> >>> Estimated milestones >>> Shipping on desktop 131 >>> Shipping on Android 131 >>> Shipping on WebView 131 >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> None >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5123809745829888?gate=5122300803022848 >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/92ec918f-5831-479e-b5b4-3a7dd27fe709%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/92ec918f-5831-479e-b5b4-3a7dd27fe709%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2Nrgd-C2-M0gWTHcy4iCPwca8Kj5F5tPo_wxdpCAu6pxw%40mail.gmail.com.
