On Fri, Feb 17, 2023 at 10:02 AM Yoav Weiss <yoavwe...@chromium.org> wrote:
> +Jason Robbins <jrobb...@google.com> - another one that our tooling > missed.. > > This intent seems to be missing a lot of the typical fields intents have, > which makes it hard to review that all the checkboxes are properly filled. > Can you maybe resend it based on the Chromestatus template? > I've done that already last week and it was LGTMed :) > > On Sun, Feb 5, 2023 at 7:50 AM Noam Rosenthal <nrosent...@chromium.org> > wrote: > >> As part of the effort to make prefetch interoperable, we have recently >> changed the CSP spec, where there is no more prefetch-src. Instead, >> prefetch uses the "least restrictive directive" - any directive can allow >> CSP and by default it goes to default-src. >> >> This allows using default-src to prevent exfiltration, while not >> introducing new hoops devs have to jump through to enable prefetching - if >> you enable any fetch for a URL, you can also prefetch it. >> >> Spec: https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy >> >> The intent is to: >> - Remove the prefetch-src code >> - Introduce the new behavior behind a flag, and go through the I2S >> process with it later on. >> >> *Some notes about this:* >> - Apple has recently implemented prefetch-src support in WebKit. However, >> this support is purely hypothetical because they don't support prefetching >> yet. We spoke with them and they are aligned with this change. >> - prefetch-src was never *officially* shipped, however the runtime flag >> protection was removed by mistake in 2021, so it silently shipped. The >> consequence of removing it would be that some prefetches that were >> disallowed by prefetch-src (there is some minor usage of prefetch-src in >> the wild even though it was never shipped), would now be allowed until the >> new flag is enabled (the previous "official" behavior was that prefetches >> are not CSP-protected). >> >> We can alternatively add a deprecation flag for prefetch-src and keep >> both code-paths, but I wonder if that's worth the hassle since, as >> mentioned before, it was never officially shipped and its removal would >> have only minor effects that are not "breaking". >> >> Link to prefetch-src: https://chromestatus.com/feature/4607623783514112 >> Link to new behavior: https://chromestatus.com/feature/5553640629075968 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYYFo_%2BDjmQvarub1rqSo3xB6BMCNWa1meivLR1TE6rvrg%40mail.gmail.com.