LGTM1 - as potential breakage won't be user visible and would be mitigated by other means.
On Wed, Feb 8, 2023 at 11:21 AM Mike West <mk...@chromium.org> wrote: > LGTM0 (I'm recused, as this has my name on it). > > For a little more color, we accidentally shipped `prefetch-src` in M92 > when moving CSP parsing out of the renderer. The check in > https://chromium-review.googlesource.com/c/chromium/src/+/2839603/8/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc#b402 > wasn't replicated in the network stack, and none of our tests covered it > (since the flag was set to "experimental", so passing was expected). > > We've since aligned with other vendors on an alternate approach > <https://chromestatus.com/feature/5553640629075968> that Noam aims to > ship separately. This approach should completely cover developers' current > usage of `prefetch-src` to gate outgoing request destinations, and do so > cross-browser, which would be nice. > > Skimming through HTTP Archive results, my suspicion is that the 0.02% > number Noam quotes would be much lower if taken as a percentage of page > views. But even if they aren't, there's no user-visible breakage that > removing the `prefetch-src` directive would create. The impact of removal > is that pages using `prefetch-src` to prevent certain prefetch requests > would fail to do so. That impact will be mitigated when Noam ships the > other thing mentioned above (which, ideally, would happen in the same > release :) ). > > As Noam notes, we have positive feedback on that proposal from other > vendors, and it doesn't seem necessary to me to ask TAG whether we should > remove something that's been removed from the relevant spec after > discussion and agreement on an alternative. > > Thanks! > > -mike > > > On Wed, Feb 8, 2023 at 10:26 AM Noam Rosenthal <nrosent...@chromium.org> > wrote: > >> (sending this again, previous email was lacking template & details) >> >> >> Primary eng (and PM) emails >> >> nrosent...@chromium.org >> >> mk...@chromium.org >> >> >> Summary >> >> Prefetch-src was never fully adopted, but was shipped by mistake in 2021 >> (the flag was removed, Oops) >> >> We’ve since changed the spec, and the replacement is in development. >> >> Motivation >> >> See https://github.com/w3c/webappsec-csp/issues/563 >> >> The motivation is to clean up CSP directives that are not in >> consensus/use. >> >> The new least-restrictive-directive method for prefetch-src requires less >> churn from developers and is accepted by other vendors. >> >> Interoperability and Compatibility Risk >> >> There are some pages (0.02%) out there that use prefetch-src, even though >> it was never officially shipped in any browser (but, as said before, was >> mistakenly shipped by Chrome in 2021). Those pages would not get the >> (partial) protection that prefetch-src gives: blocking a prefetch under >> certain conditions. When we ship Least Restrictive Directive >> <https://chromestatus.com/feature/5553640629075968>, which had gained >> consensus, >> >> Firefox: Never implemented prefetch-src, positive on prefetch behavior >> alignment <https://github.com/mozilla/standards-positions/issues/723> >> >> Safari: positive to removal and prefetch behavior alignment >> <https://github.com/WebKit/standards-positions/issues/114> >> >> Note that webkit has recently implemented prefetch-src into their CSP >> parser, but they did not implement prefetch yet so that is hypothetical. >> They have confirmed that they are aligned with this change. >> >> Alternative implementation suggestion for web developers >> >> See https://chromestatus.com/feature/5553640629075968. Prefetch will by >> default be protected by default-src, and other directives can allow it >> (“least restrictive directive”). This would make protecting against >> exfiltration more transparent, not requiring a new directive for each type >> of way to fetch. >> >> Usage information from UseCounter >> <https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/page/UseCounter.h&sq=package:chromium&type=cs&q=file:UseCounter.h%20Feature&l=39> >> >> There is no UseCounter for prefetch-src. HTTP-Archive shows that >> responses that included prefetch-src in their CSP header amounted to 0.02% >> of all document requests. >> >> Entry on the feature dashboard <https://www.chromestatus.com/> >> >> https://chromestatus.com/guide/edit/4607623783514112 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZf5ZRWhsD1pnQBoN3Leq0WSt0nW1sTXp3mveR5ojWaNw%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZf5ZRWhsD1pnQBoN3Leq0WSt0nW1sTXp3mveR5ojWaNw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Df%2BKSqPSVp51nSN02goG%3DXmhQ6F4_3qwCNVAz25O4TTuQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Df%2BKSqPSVp51nSN02goG%3DXmhQ6F4_3qwCNVAz25O4TTuQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXstQR%2BPAYKDgAjuuyXnrt2YaCuOmAtpCzJU4K-px2Ltg%40mail.gmail.com.
