On Fri, Nov 17, 2023 at 11:40 AM Daniel Vogelheim <vogelh...@google.com> wrote:
> Hi Jeremy, > > On Thu, Nov 16, 2023 at 12:33 AM Jeremy Roman <jbro...@chromium.org> > wrote: > >> (3) Currently developers can only specify speculation rules using inline >> script tags. The proposed feature provides an alternative through the >> "Speculation-Rules" header. Its value must be a URL to a text resource with >> "application/speculationrules+json" MIME type. The resource's rules will be >> added to the document's rule set. >> > > Is the URL from the speculation rules header restricted to same-origin > resources? > > The examples seem to assume so; but I couldn't find any definite > statement. The header parsing code reads to me like it would allow > arbitrary URLs (cross-origin; or mixed http/https). Is this the intent? > It is not restricted to be same-origin. This is similar to how other subresources, like scripts, stylesheets, and images, can be loaded cross-origin. However, if it is cross-origin, the response must be CORS-readable. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACuR13f9oYJrxnHdsQh5QEtjBY_JjtejBJY%3DgEscffPP49kCgA%40mail.gmail.com.