Intent to Ship: Exempt Speculation-Rules Header from CSP restrictions
Liviu Tinta
Contact emails
dom...@chromium.org, jbr...@chromium.org, liviu...@chromium.org
Explainer
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Specification
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Summary
This is somewhat of a bug-fix, but it's a web-exposed bug fix which deserves full web platform security review, so we're using the Intent to Ship process. When we initially shipped the Speculation-Rules header, we reused much of the architecture from the <script type=speculationrules> implementation, and thus it was blocked by CSP policies that blocked <script> elements. This has caused some friction among web developers adopting the Speculation-Rules header, who expected CSP to only apply to <script>s. After consulting with Google and Chrome security teams, we realized our initial implementation was a mistake, as CSP's script policies are meant to protect against injection of scripts into HTML, and the CSP threat model doesn't relate to HTTP headers. As such, we're updating the integration between speculation rules and CSP so that CSP only applies to <script type=speculationrules>, and not to the Speculation-Rules header.
Blink component
Internals>Preload
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
None
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
This feature changes the behavior of existing APIs.
The Finch killswitch is ExemptSpeculationRulesHeaderFromCSP.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
This feature changes the behavior of existing APIs. The Finch killswitch is ExemptSpeculationRulesHeaderFromCSP.
Debuggability
Developers can check if the speculation rules specified via Speculation-Rules header, in the presence of a strict Content-Security-Policy is loaded successfully in DevTools via existing CSP DevTools support.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
Is this feature fully tested by web-platform-tests?
Yes
https://wpt.fyi/results/speculation-rules?label=experimental&label=master&aligned
Flag name on chrome://flags
None
Finch feature name
ExemptSpeculationRulesHeaderFromCSP
Requires code in //chrome?
False
Measurement
https://chromestatus.com/metrics/feature/timeline/popularity/4394
Availability expectation
Feature is available only in Chromium browsers for the foreseeable future.
Adoption expectation
Feature is used by specific partner(s) to provide functionality within 12 months of launch in Chrome.
Adoption plan
Speculation-Rules header was adopted by Cloudflare for the Product Speed Brain: https://developers.cloudflare.com/speed/optimization/content/speed-brain/
Non-OSS dependencies
Does the feature depend on any code or APIs outside the Chromium open source repository and its open-source dependencies to function?
No.Estimated milestones
| Shipping on desktop | 131 |
| Shipping on Android | 131 |
| Shipping on WebView | 131 |
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
NoneLink to entry on the Chrome Platform Status
https://chromestatus.com/feature/5123809745829888?gate=5122300803022848
Mike Taylor
Contact emails
dom...@chromium.org, jbr...@chromium.org, liviu...@chromium.org
Explainer
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Specification
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Summary
This is somewhat of a bug-fix, but it's a web-exposed bug fix which deserves full web platform security review, so we're using the Intent to Ship process. When we initially shipped the Speculation-Rules header, we reused much of the architecture from the <script type=speculationrules> implementation, and thus it was blocked by CSP policies that blocked <script> elements. This has caused some friction among web developers adopting the Speculation-Rules header, who expected CSP to only apply to <script>s. After consulting with Google and Chrome security teams, we realized our initial implementation was a mistake, as CSP's script policies are meant to protect against injection of scripts into HTML, and the CSP threat model doesn't relate to HTTP headers. As such, we're updating the integration between speculation rules and CSP so that CSP only applies to <script type=speculationrules>, and not to the Speculation-Rules header.
Blink component
Internals>Preload
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
This feature changes the behavior of existing APIs. The Finch killswitch is ExemptSpeculationRulesHeaderFromCSP.
Debuggability
Developers can check if the speculation rules specified via Speculation-Rules header, in the presence of a strict Content-Security-Policy is loaded successfully in DevTools via existing CSP DevTools support.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com.
Domenic Denicola
On 10/8/24 1:05 PM, Liviu Tinta wrote:
Are there failure modes/compat implications y'all can think of by us sending the header where it was previously blocked? I can't think of anything, but you've probably thought about this for much longer than I have over the past 5 mins.Contact emails
dom...@chromium.org, jbr...@chromium.org, liviu...@chromium.org
Explainer
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Specification
https://wicg.github.io/nav-speculation/speculation-rules.html#security-xss
Summary
This is somewhat of a bug-fix, but it's a web-exposed bug fix which deserves full web platform security review, so we're using the Intent to Ship process. When we initially shipped the Speculation-Rules header, we reused much of the architecture from the <script type=speculationrules> implementation, and thus it was blocked by CSP policies that blocked <script> elements. This has caused some friction among web developers adopting the Speculation-Rules header, who expected CSP to only apply to <script>s. After consulting with Google and Chrome security teams, we realized our initial implementation was a mistake, as CSP's script policies are meant to protect against injection of scripts into HTML, and the CSP threat model doesn't relate to HTTP headers. As such, we're updating the integration between speculation rules and CSP so that CSP only applies to <script type=speculationrules>, and not to the Speculation-Rules header.
Blink component
Internals>Preload
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
- On a general level, speculative loading is a progressive enhancement. Sites that try to use it are coded to be resilient to it happening, or not.
- On a specific level, somewhere very close to 100% of the usage of the Speculation-Rules header comes from Cloudflare's recent Speed Brain launch, and we know that they are prepared for this.
Is WebView the outlier here?
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
This feature changes the behavior of existing APIs. The Finch killswitch is ExemptSpeculationRulesHeaderFromCSP.
Debuggability
Developers can check if the speculation rules specified via Speculation-Rules header, in the presence of a strict Content-Security-Policy is loaded successfully in DevTools via existing CSP DevTools support.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org.
Yoav Weiss (@Shopify)
(Note: feature owner hat on, API owner hat off.)
On Wed, Oct 9, 2024 at 11:24 AM Mike Taylor <mike...@chromium.org> wrote:
On 10/8/24 1:05 PM, Liviu Tinta wrote:
Contact emails
dom...@chromium.org, jbroman@chromium.org, liviutinta@chromium.org
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Mike Taylor
Got it, thanks for confirming Domenic.
LGTM2
Vladimir Levin
Got it, thanks for confirming Domenic.
LGTM2
On 10/9/24 2:10 AM, Yoav Weiss (@Shopify) wrote:
LGTM1
I agree that this is a web-exposed bug fix, and that the likelihood of negative impact here at this stage of the feature's life is slim.
On Wednesday, October 9, 2024 at 4:44:10 AM UTC+2 Domenic Denicola wrote:
(Note: feature owner hat on, API owner hat off.)
On Wed, Oct 9, 2024 at 11:24 AM Mike Taylor <mike...@chromium.org> wrote:
On 10/8/24 1:05 PM, Liviu Tinta wrote:
Contact emails
dom...@chromium.org, jbr...@chromium.org, liviu...@chromium.org
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHaAqY%2BbN7tWR_QqeHAypQwEXtG4%2BcvNciYF%2B%2BqDBko%2BjTajTA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b94260c7-f9ce-424f-b153-06477edc9f9f%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/92ec918f-5831-479e-b5b4-3a7dd27fe709%40chromium.org.