Intent to Ship: Same-site cross-origin prerendering triggered by the speculation rules API

255 views
Skip to first unread message

Domenic Denicola

unread,
Oct 13, 2022, 9:35:50 PM10/13/22
to blink-dev, robe...@chromium.org

Contact emails

dom...@chromium.org, robe...@chromium.org


Explainer

https://github.com/WICG/nav-speculation/blob/main/prerendering-same-site.md#more-details-on-cross-origin-same-site

https://github.com/WICG/nav-speculation/blob/main/opt-in.md


Specification

https://wicg.github.io/nav-speculation/prerendering.html#navigate-fetch-patch


Design docs

https://docs.google.com/document/d/1WsDYA8NMCSwsK8dXCKdajdAd3ZcQUu9w1eoe0hEB_nU/edit?usp=sharing


Summary

Previously we launched same-origin prerendering triggered by the speculation rules API. This expands coverage to also allow triggering same-site cross-origin pages. This prerendering will be done with credentials and storage access, but such prerender targets will need to opt in by using the `Supports-Loading-Mode: credentialed-prerender` header.


Blink component

Internals>Preload>Prerender


TAG review

https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1235043792


TAG review status

Pending


Risks

Interoperability and Compatibility

This feature does not have significant interoperability or compatibility risks on top of the already-shipped same-origin prerendering feature. This is mostly a straightforward extension of that.


The only potentially-interesting questions are around the design of the Supports-Loading-Mode header, which is the main new web-exposed "API". We've designed the header with an eye toward being easily implementable and future-extensible, using the structured headers infrastructure.


Gecko: No signal. No signal on previous requests for prerendering and prefetching. I added a comment to the existing issue about prerendering.


WebKit: No signal. No signal on previous requests for prerendering and prefetching. I took this opportunity to re-file on their new GitHub repository in the hopes of getting some feedback, and there was some brief discussion of the cross-site case, but nothing about the same-site cross-origin case.


Web developers: Positive. We've heard from a few partners that they want to prerender among other same-site origins they own, but cannot yet do so.


Ergonomics

This feature is triggered by the speculation rules API: https://chromestatus.com/feature/5740655424831488


Activation

Using this feature requires the target page to have some control over its HTTP headers. This is not possible on some hosting sites, e.g. GitHub Pages. We have envisioned a future extension of allowing a <meta> version of Supports-Loading-Mode that could address this, but have not yet heard of a concrete case where this would be necessary, so it is not included in this Intent.


Security

This feature allows one origin to cause another origin to be rendered, including its JavaScript code. Because this can be dangerous, we require the target origin to opt in using the Supports-Loading-Mode header.


This feature respects the cross-origin-isolation process model, to prevent the referrer and target pages from attacking each other through side channels.


These issues are discussed further in the design doc and explainer.


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

This feature is not available on WebView.


Debuggability

DevTools support for prerendering in general remains in the early stages; you can track that work in https://crbug.com/1217029, or see our general development guide.


However, this expansion to cross-origin same-site target pages does not have any special debuggability concerns.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No. Prerendering is not supported on Android WebView.


Is this feature fully tested by web-platform-tests?

Yes


Flag name

SameSiteCrossOriginForSpeculationRulesPrerender


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1356449


Estimated milestones

Ship in 109 on both desktop and Android.


Anticipated spec changes

None.


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4899735257743360


Links to previous Intent discussions

Intent to Prototype


This intent message was generated by Chrome Platform Status and tweaked by hand.


Alex Russell

unread,
Oct 19, 2022, 11:56:56 AM10/19/22
to blink-dev, Domenic Denicola, robe...@chromium.org
This seems like a reasonable extension of the base feature, but I'm wondering who is asking for it. Can any of the partners you're working with express support for it publicly?

Thanks,

Alex

Rick Byers

unread,
Nov 1, 2022, 2:40:47 PM11/1/22
to Alex Russell, blink-dev, Domenic Denicola, robe...@chromium.org
+1 to elaborate on "We've heard from a few partners that they want to prerender among other same-site origins they own" to the extent possible. But given the relatively small addition to an already shipped feature, I'm personally OK with a pretty low bar here. 

It looks like one of the new tests is timing out on wpt.fyi. Is the feature covered by --enable-experimental-web-platform-features? Either way, shouldn't the new test be reliably passing or failing rather than timing out?

Rick

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b9317f2b-3c20-4a09-833c-13d80cfa672en%40chromium.org.

Domenic Denicola

unread,
Nov 1, 2022, 10:42:53 PM11/1/22
to Rick Byers, Alex Russell, blink-dev, Domenic Denicola, robe...@chromium.org
Hey folks,

I've been prodding the partners in question to respond here when best they can. Hopefully we'll hear from them soon!

This feature is not enabled under experimental-web-platform-features.

It's not really possible to write a test which fails in a non-timeout manner, because the failure mode of this feature is that something does *not* get prerendered. If something is not prerendered, there's no way to communicate this to the referrer, since the would-have-been-prerendered page has no ability to run code and signal such a failure.

Richard Owen

unread,
Nov 2, 2022, 10:50:23 AM11/2/22
to Domenic Denicola, Rick Byers, Alex Russell, blink-dev, robe...@chromium.org
Is this discussion I been viewing amongst you all happen to be over me and my network? If so just to clear the air here each and every single time that I have gotten on to the page that is my goal to get to on any of my 5 or 6 devices someone or something shuts me down. I'm not real happy about it because it is discouraged me in pursuing this digital world that at first I could not get enough of and now I am very confused about the whole situation. I want to be able to complete a task and then be able to view it somewhere but I am not able to do that as well each time I get close on one PC I have it completely shut down and on the other everything gets frozen and then I have no control over it. I have no use for this kind of behavior and I don't believe that anyone of you would tolerate these actions happening to you and on every device that is around I am experiencing this same issue with my mother's phone as well and she has no part in any of this and I would really appreciate it if you could leave her out of this project and my stepfather is having issues with his iPhone as well so will you please terminate the later two mentioned in your project? Respectfully. Thanks 
                   orick

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_-3QntCwmWxNL5FwCH17PPxZno4K-9O%3Dco8vNadF3uoQ%40mail.gmail.com.

Philipp Weis

unread,
Nov 2, 2022, 10:50:38 AM11/2/22
to blink-dev, dom...@chromium.org, sligh...@chromium.org, blink-dev, robe...@chromium.org, rby...@chromium.org
I left a comment on github indicating desire from Google Workspace to start using this for preloading in cross-app user journeys (e.g. preloading a Docs document from Drive), which wouldn't really be possible without cross-origin support.

Thanks for considering this!

rbyers via Chromestatus

unread,
Nov 2, 2022, 11:37:53 AM11/2/22
to blin...@chromium.org
LGTM1

Chris Harrelson

unread,
Nov 2, 2022, 11:38:27 AM11/2/22
to rbyers via Chromestatus, blin...@chromium.org
LGTM2

On Wed, Nov 2, 2022 at 8:37 AM rbyers via Chromestatus <admin+...@cr-status.appspotmail.com> wrote:
LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/00000000000054925b05ec7e9f06%40google.com.

Daniel Bratell

unread,
Nov 2, 2022, 11:39:16 AM11/2/22
to Chris Harrelson, rbyers via Chromestatus, blin...@chromium.org

LGTM3

/Daniel

Reply all
Reply to author
Forward
0 new messages