Intent to Prototype: Same-site cross-origin prerendering triggered by the speculation rules API

100 views
Skip to first unread message

Domenic Denicola

unread,
Sep 5, 2022, 10:14:20 PM9/5/22
to blink-dev, robe...@chromium.org

Contact emails

dom...@chromium.org, robe...@chromium.org


Explainer

https://github.com/WICG/nav-speculation/blob/main/prerendering-same-site.md#more-details-on-cross-origin-same-site


https://github.com/WICG/nav-speculation/blob/main/opt-in.md


Specification

https://wicg.github.io/nav-speculation/prerendering.html#navigate-fetch-patch


Design docs

https://docs.google.com/document/d/1WsDYA8NMCSwsK8dXCKdajdAd3ZcQUu9w1eoe0hEB_nU/edit?usp=sharing


Summary

Previously we launched same-origin prerendering triggered by the speculation rules API. This expands coverage to also allow triggering same-site cross-origin pages. This prerendering will be done with credentials and storage access, but such prerender targets will need to opt in by using the Supports-Loading-Mode: credentialed-prerender header.


Blink component

Internals>Preload>Prerender


Motivation

Prerendering is a useful technology for speeding up page loads, and ideally referrer pages would be able to prerender all target pages. By expanding the circle of prerenderable pages to include same-site cross-origin pages, we allow more navigations on the web to be instant.


Initial public proposal

https://github.com/WICG/nav-speculation/pull/181


TAG review

https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1235043792


TAG review status

Pending. (Review for this expansion was requested as a comment on an existing issues-mostly-addressed TAG review.)


Risks

Interoperability and Compatibility

This feature does not have significant interoperability or compatibility risks on top of the already-shipped same-origin prerendering feature. This is mostly a straightforward extension of that.

The only potentially-interesting questions are around the design of the Supports-Loading-Mode header, which is the main new web-exposed "API". We've designed the header with an eye toward being easily implementable and future-extensible, using the structured headers infrastructure.



Gecko: No signal. No signal on previous requests for prerendering and prefetching. I added a comment to the existing issue about prerendering.


WebKit: No signal. No signal on previous requests for prerendering and prefetching. I took this opportunity to re-file on their new GitHub repository in the hopes of getting some feedback.


Web developers: Positive. We've heard from a few partners that they want to prerender among other same-site origins they own, but cannot yet do so.


Ergonomics

This feature is triggered by the speculation rules API.


Activation

Using this feature requires the target page to have some control over its HTTP headers. This is not possible on some free hosting sites, e.g. GitHub Pages. We have envisioned a future extension of allowing a <meta> version of Supports-Loading-Mode that could address this, but have not yet heard of a concrete case where this would be necessary, so it is not included in this Intent.


Security

This feature allows one origin to cause another origin to be rendered, including its JavaScript code. Because this can be dangerous, we require the target origin to opt in using the Supports-Loading-Mode header.

This feature respects the cross-origin-isolation process model, to prevent the referrer and target pages from attacking each other through side channels.

These issues are discussed further in the design doc and explainer.


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

This feature is not available on WebView.



Debuggability

DevTools support for prerendering in general remains in the early stages; you can track that work in https://crbug.com/1217029, or see our general development guide.


However, this expansion to cross-origin same-site target pages does not have any special debuggability concerns.


Is this feature fully tested by web-platform-tests?

Not yet, but we'll be writing such tests before shipping.


Flag name

SameSiteCrossOriginForSpeculationRulesPrerender


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1356449


Estimated milestones

DevTrial on desktop

107


DevTrial on Android

107


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4899735257743360


This intent message was generated by Chrome Platform Status and fixed up by hand.


Reply all
Reply to author
Forward
0 new messages