LGTM0 (I'm recused, as this has my name on it). For a little more color, we accidentally shipped `prefetch-src` in M92 when moving CSP parsing out of the renderer. The check in https://chromium-review.googlesource.com/c/chromium/src/+/2839603/8/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc#b402 wasn't replicated in the network stack, and none of our tests covered it (since the flag was set to "experimental", so passing was expected).
We've since aligned with other vendors on an alternate approach <https://chromestatus.com/feature/5553640629075968> that Noam aims to ship separately. This approach should completely cover developers' current usage of `prefetch-src` to gate outgoing request destinations, and do so cross-browser, which would be nice. Skimming through HTTP Archive results, my suspicion is that the 0.02% number Noam quotes would be much lower if taken as a percentage of page views. But even if they aren't, there's no user-visible breakage that removing the `prefetch-src` directive would create. The impact of removal is that pages using `prefetch-src` to prevent certain prefetch requests would fail to do so. That impact will be mitigated when Noam ships the other thing mentioned above (which, ideally, would happen in the same release :) ). As Noam notes, we have positive feedback on that proposal from other vendors, and it doesn't seem necessary to me to ask TAG whether we should remove something that's been removed from the relevant spec after discussion and agreement on an alternative. Thanks! -mike On Wed, Feb 8, 2023 at 10:26 AM Noam Rosenthal <nrosent...@chromium.org> wrote: > (sending this again, previous email was lacking template & details) > > > Primary eng (and PM) emails > > nrosent...@chromium.org > > mk...@chromium.org > > > Summary > > Prefetch-src was never fully adopted, but was shipped by mistake in 2021 > (the flag was removed, Oops) > > We’ve since changed the spec, and the replacement is in development. > > Motivation > > See https://github.com/w3c/webappsec-csp/issues/563 > > The motivation is to clean up CSP directives that are not in consensus/use. > > The new least-restrictive-directive method for prefetch-src requires less > churn from developers and is accepted by other vendors. > > Interoperability and Compatibility Risk > > There are some pages (0.02%) out there that use prefetch-src, even though > it was never officially shipped in any browser (but, as said before, was > mistakenly shipped by Chrome in 2021). Those pages would not get the > (partial) protection that prefetch-src gives: blocking a prefetch under > certain conditions. When we ship Least Restrictive Directive > <https://chromestatus.com/feature/5553640629075968>, which had gained > consensus, > > Firefox: Never implemented prefetch-src, positive on prefetch behavior > alignment <https://github.com/mozilla/standards-positions/issues/723> > > Safari: positive to removal and prefetch behavior alignment > <https://github.com/WebKit/standards-positions/issues/114> > > Note that webkit has recently implemented prefetch-src into their CSP > parser, but they did not implement prefetch yet so that is hypothetical. > They have confirmed that they are aligned with this change. > > Alternative implementation suggestion for web developers > > See https://chromestatus.com/feature/5553640629075968. Prefetch will by > default be protected by default-src, and other directives can allow it > (“least restrictive directive”). This would make protecting against > exfiltration more transparent, not requiring a new directive for each type > of way to fetch. > > Usage information from UseCounter > <https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/page/UseCounter.h&sq=package:chromium&type=cs&q=file:UseCounter.h%20Feature&l=39> > > There is no UseCounter for prefetch-src. HTTP-Archive shows that responses > that included prefetch-src in their CSP header amounted to 0.02% of all > document requests. > > Entry on the feature dashboard <https://www.chromestatus.com/> > > https://chromestatus.com/guide/edit/4607623783514112 > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZf5ZRWhsD1pnQBoN3Leq0WSt0nW1sTXp3mveR5ojWaNw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZf5ZRWhsD1pnQBoN3Leq0WSt0nW1sTXp3mveR5ojWaNw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Df%2BKSqPSVp51nSN02goG%3DXmhQ6F4_3qwCNVAz25O4TTuQ%40mail.gmail.com.
