Contact emailsfer...@chromium.org, yu...@chromium.org Explainerhttps://github.com/fergald/explainer-bfcache-ccns/blob/main/api.md
Specification Summary An API that allows pages to declare triggers that will cause them to be invalidated (evicted from BFCache or cancelled from Prerendering). The goal is provide an alternative to blocking Prerendering or BFCache entirely (e.g. with Cache-Control: no-store) while still ensuring that sensitive information is not presented to the user after logging out or other important state changes. Triggers include changes to listed cookies or storage keys. Blink componentUI>Browser>Navigation>BFCache <https://bugs.chromium.org/p/chromium/issues/list?q=component:UI%3EBrowser%3ENavigation%3EBFCache> Motivation When users log out, pages in BFCache or pages that are Prerendering may contain sensitive information that should no longer be accessible. Currently, or BFCache, sites use `Cache-Control: no-store` to protect that information but this is a blunt instrument that prevents BFCacheing entirely, hurting performance. For prerendering, sites may not opt in to prerendering. This also prevents browsers from opportunistically prerendering. Initial public proposalhttps://github.com/whatwg/html/issues/7189 Search tagsbfcache prerendering cookies storage <https://chromestatus.com/features#tags:bfcache%20prerendering%20cookies%20storage> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/786 TAG review statusPending Risks Interoperability and Compatibility None known. *Gecko*: No signal ( https://docs.google.com/document/d/1YZvkd0nMk0VlaikLCcBtzX0CCUo9lLxoOUtEPbK2IYk/edit) This was discussed in the context of changing the default behaviour of BFCache with `Cache-Control: no-store`. The API itself didn't generate much discussion. *WebKit*: No signal ( https://docs.google.com/document/d/1YZvkd0nMk0VlaikLCcBtzX0CCUo9lLxoOUtEPbK2IYk/edit) This was discussed in the context of changing the default behaviour of BFCache with `Cache-Control: no-store`. The API itself didn't generate much discussion. *Web developers*: No signals *Other signals*: Security Since this just adds ways for a page to not be restored from BFCache or prerendered, it should not present a security risk. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No Debuggability Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Flag name Requires code in //chrome?False Tracking bughttps://crbug.com/1386028 Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5197945132023808 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAozHLmToS6cdoMrm2fo6mAgwq54zcPo6vLRNGh7Xf45dOyjkg%40mail.gmail.com.
