Intent to Ship: Speculation rules: Content Security Policy extension
Takashi Toyoshima
Hi blink-dev,
This Intent to Ship is a bit unusual because we accidentally launched this change in M110, and are now properly going through the Intent to Ship process.
Here is the Intent, and let us know if there's anything else we should do to handle this unusual situation:
We already modify our workflow to track each launch process closely with our TPM so to avoid this kind of mistakes in the future.
Contact emails
Specification
https://wicg.github.io/nav-speculation/speculation-rules.html
https://github.com/WICG/nav-speculation/pull/213
https://github.com/WICG/nav-speculation/pull/245
Summary
Speculation rules are inlined in script tags, but their use will be restricted by Content Security Policy as unsafe inline scripts even if the speculation rules are safe.
So, we extend the Content Security Policy to have a new source keyword, ‘inline-speculation-rules’, for inline uses of speculation rules. With this new keyword, we can permit inline speculation rules without permitting inline scripts.
Blink component
Blink>SecurityFeature>ContentSecurityPolicy
TAG review
https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1461312356
TAG review status
On going as a delta for Speculation Rules (Prefetch)
Risks
Interoperability and Compatibility
Gecko: No signal
WebKit: No signal
Web developers: We heard positive feedback from partners as there was no handy approach to permit speculation rules without allowing unsafe inline scripts.
Other signals:
WebView application risks
No incompatible change for existing APIs.
Debuggability
DevTools show proper warning messages as we do for other CSP violations.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
Yes, in speculation-rules/prerender/csp-script-src-*
Flag name
N/A
(base::Feature is network::features::kPrerender2ContentSecurityPolicyExtensions)
Requires code in //chrome?
False for web exposed changes, but have a small change in chrome/browser/extensions/ to support it in Chrome Extensions too.
Estimated milestones
110
Anticipated spec changes
No specific concern.
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5182859125456896
This intent message was generated by Chrome Platform Status.
Software Engineer, Google
Yoav Weiss
Hi blink-dev,
This Intent to Ship is a bit unusual because we accidentally launched this change in M110, and are now properly going through the Intent to Ship process.
Here is the Intent, and let us know if there's anything else we should do to handle this unusual situation:
We already modify our workflow to track each launch process closely with our TPM so to avoid this kind of mistakes in the future.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFWCB1n7ON2v4Vv%2BYfvk%3DMt5g7zY62eGoy53HKrPzAHp1C1sMw%40mail.gmail.com.
TAMURA, Kent
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUsKocFhZstwhy5S-nuawDC_3unUpCgOT1fc%3Dz1Uf3fKg%40mail.gmail.com.
Software Engineer, Google
Philip Jägenstedt
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGH7WqEkunFoxs5pq5wFrHaABtq76XhxL2pNUweWcoi8SYDoqg%40mail.gmail.com.