(sending this again, previous email was lacking template & details)
Primary eng (and PM) emails [email protected] [email protected] Summary Prefetch-src was never fully adopted, but was shipped by mistake in 2021 (the flag was removed, Oops) We’ve since changed the spec, and the replacement is in development. Motivation See https://github.com/w3c/webappsec-csp/issues/563 The motivation is to clean up CSP directives that are not in consensus/use. The new least-restrictive-directive method for prefetch-src requires less churn from developers and is accepted by other vendors. Interoperability and Compatibility Risk There are some pages (0.02%) out there that use prefetch-src, even though it was never officially shipped in any browser (but, as said before, was mistakenly shipped by Chrome in 2021). Those pages would not get the (partial) protection that prefetch-src gives: blocking a prefetch under certain conditions. When we ship Least Restrictive Directive <https://chromestatus.com/feature/5553640629075968>, which had gained consensus, Firefox: Never implemented prefetch-src, positive on prefetch behavior alignment <https://github.com/mozilla/standards-positions/issues/723> Safari: positive to removal and prefetch behavior alignment <https://github.com/WebKit/standards-positions/issues/114> Note that webkit has recently implemented prefetch-src into their CSP parser, but they did not implement prefetch yet so that is hypothetical. They have confirmed that they are aligned with this change. Alternative implementation suggestion for web developers See https://chromestatus.com/feature/5553640629075968. Prefetch will by default be protected by default-src, and other directives can allow it (“least restrictive directive”). This would make protecting against exfiltration more transparent, not requiring a new directive for each type of way to fetch. Usage information from UseCounter <https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/page/UseCounter.h&sq=package:chromium&type=cs&q=file:UseCounter.h%20Feature&l=39> There is no UseCounter for prefetch-src. HTTP-Archive shows that responses that included prefetch-src in their CSP header amounted to 0.02% of all document requests. Entry on the feature dashboard <https://www.chromestatus.com/> https://chromestatus.com/guide/edit/4607623783514112 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZf5ZRWhsD1pnQBoN3Leq0WSt0nW1sTXp3mveR5ojWaNw%40mail.gmail.com.
