Intent to Implement: Feature policy to disable parser-blocking script execution

66 views
Skip to first unread message

Nate Chapin

unread,
Jul 11, 2018, 5:38:39ā€ÆPM7/11/18
to blink-dev

Contact emails

jap...@chromium.org


Explainer

Spec discussion: https://github.com/WICG/feature-policy/issues/135


Summary

Add a new policy-controlled feature, sync-script, which can be used to disable the execution of scripts that block parsing.


Motivation

Parser-blocking scripts can greatly delay the appearance of meaningful content. This gives developers that want to prioritize parsing over potentially long-running script execution a tool to enforce their own preferred development practices.


Risks

Interoperability and Compatibility

No signals yet from other browsers


Ergonomics

The main ergonomic complexity I'm aware of is on exactly which set of synchronous scripts this feature policy has the power to block and whether that will conform with developer expectations. See https://github.com/WICG/feature-policy/issues/135#issuecomment-395238652 for discussion of a specific corner case (dynamically-inserted inline scripts).


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.


Is this feature fully tested by web-platform-tests?

The draft CL includes test coverage.


Link to entry on the feature dashboard

https://www.chromestatus.com/feature/6218263637786624


Requesting approval to ship?

Not yet.

a...@google.com

unread,
Jul 16, 2018, 11:40:48ā€ÆAM7/16/18
to blink-dev
Given the cross-origin inheritance of Feature Policy, this would let cross-origin windows disable the execution of some page scripts (i.e. parser-blocking ones) while allowing others to run (async ones). This can have significant security consequences, e.g. if important security checks are conducted in parser-blocking scripts. Have you considered how you would tackle this problem?

Cheers,
-Artur

Nate Chapin

unread,
Jul 19, 2018, 2:04:18ā€ÆPM7/19/18
to a...@google.com, Ian Clelland, blink-dev
Similar concerns have been considered in the case of feature policy to disable sync xhr (seeĀ https://wicg.github.io/feature-policy/#privacy-alter-behavior), but parser-blocking scripts are potentially more powerful. iclelland@ and I are talking about how to tackle this, and will definitely have a coherent plan before shipping.

Thanks for bringing this up!
~Nate

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ba9ba611-be90-4d26-9d05-49d00d996ee5%40chromium.org.

Jochen Eisinger

unread,
Jul 20, 2018, 2:55:29ā€ÆAM7/20/18
to Nate Chapin, a...@google.com, Ian Clelland, blink-dev
We have a solution for a similar problem with CSP: embedded enforcement. Both the embedder and the embeddee have to agree on the feature policy, otherwise the iframe won't be rendered.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACf%3D2L%2BZ%3DiaNA8phzKscgFSUHfPFaoHp4cqWTcpxWD_mTkfCcw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages