Intent to Deprecate and remove: CSP prefetch-src directive

[Noam Rosenthal]

As part of the effort to make prefetch interoperable, we have recently changed the CSP spec, where there is no more prefetch-src. Instead, prefetch uses the "least restrictive directive" - any directive can allow CSP and by default it goes to default-src.

This allows using default-src to prevent exfiltration, while not introducing new hoops devs have to jump through to enable prefetching - if you enable any fetch for a URL, you can also prefetch it.

Spec: https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy

The intent is to:

- Remove the prefetch-src code

- Introduce the new behavior behind a flag, and go through the I2S process with it later on.

Some notes about this:

- Apple has recently implemented prefetch-src support in WebKit. However, this support is purely hypothetical because they don't support prefetching yet. We spoke with them and they are aligned with this change.

- prefetch-src was never officially shipped, however the runtime flag protection was removed by mistake in 2021, so it silently shipped. The consequence of removing it would be that some prefetches that were disallowed by prefetch-src (there is some minor usage of prefetch-src in the wild even though it was never shipped), would now be allowed until the new flag is enabled (the previous "official" behavior was that prefetches are not CSP-protected).

We can alternatively add a deprecation flag for prefetch-src and keep both code-paths, but I wonder if that's worth the hassle since, as mentioned before, it was never officially shipped and its removal would have only minor effects that are not "breaking".

Link to prefetch-src: https://chromestatus.com/feature/4607623783514112

Link to new behavior: https://chromestatus.com/feature/5553640629075968

[Yoav Weiss]

+Jason Robbins - another one that our tooling missed..

This intent seems to be missing a lot of the typical fields intents have, which makes it hard to review that all the checkboxes are properly filled. Can you maybe resend it based on the Chromestatus template?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZfKxUuB6KuuH4bCjhMu-350U14Dwno7rrV%3DfQpNOT77A%40mail.gmail.com.

[Noam Rosenthal]

On Fri, Feb 17, 2023 at 10:02 AM Yoav Weiss <yoav...@chromium.org> wrote:

+Jason Robbins - another one that our tooling missed..

This intent seems to be missing a lot of the typical fields intents have, which makes it hard to review that all the checkboxes are properly filled. Can you maybe resend it based on the Chromestatus template?

I've done that already last week and it was LGTMed :)

[Yoav Weiss]

Cool! Apologies for the noise! :)