Intent to remove: prefetch-src

Noam Rosenthal

unread,

Feb 8, 2023, 4:26:02 AM2/8/23

to blink-dev

(sending this again, previous email was lacking template & details)

Primary eng (and PM) emails

nrose...@chromium.org

mk...@chromium.org

Summary

Prefetch-src was never fully adopted, but was shipped by mistake in 2021 (the flag was removed, Oops)

We’ve since changed the spec, and the replacement is in development.

Motivation

See https://github.com/w3c/webappsec-csp/issues/563

The motivation is to clean up CSP directives that are not in consensus/use.

The new least-restrictive-directive method for prefetch-src requires less churn from developers and is accepted by other vendors.

Interoperability and Compatibility Risk

There are some pages (0.02%) out there that use prefetch-src, even though it was never officially shipped in any browser (but, as said before, was mistakenly shipped by Chrome in 2021). Those pages would not get the (partial) protection that prefetch-src gives: blocking a prefetch under certain conditions. When we ship Least Restrictive Directive, which had gained consensus,

Firefox: Never implemented prefetch-src, positive on prefetch behavior alignment

Safari: positive to removal and prefetch behavior alignment

Note that webkit has recently implemented prefetch-src into their CSP parser, but they did not implement prefetch yet so that is hypothetical. They have confirmed that they are aligned with this change.

Alternative implementation suggestion for web developers

See https://chromestatus.com/feature/5553640629075968. Prefetch will by default be protected by default-src, and other directives can allow it (“least restrictive directive”). This would make protecting against exfiltration more transparent, not requiring a new directive for each type of way to fetch.

Usage information from UseCounter

There is no UseCounter for prefetch-src. HTTP-Archive shows that responses that included prefetch-src in their CSP header amounted to 0.02% of all document requests.

Entry on the feature dashboard

https://chromestatus.com/guide/edit/4607623783514112

Mike West

unread,

Feb 8, 2023, 5:21:33 AM2/8/23

to Noam Rosenthal, blink-dev

LGTM0 (I'm recused, as this has my name on it).

For a little more color, we accidentally shipped `prefetch-src` in M92 when moving CSP parsing out of the renderer. The check in https://chromium-review.googlesource.com/c/chromium/src/+/2839603/8/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc#b402 wasn't replicated in the network stack, and none of our tests covered it (since the flag was set to "experimental", so passing was expected).

We've since aligned with other vendors on an alternate approach that Noam aims to ship separately. This approach should completely cover developers' current usage of `prefetch-src` to gate outgoing request destinations, and do so cross-browser, which would be nice.

Skimming through HTTP Archive results, my suspicion is that the 0.02% number Noam quotes would be much lower if taken as a percentage of page views. But even if they aren't, there's no user-visible breakage that removing the `prefetch-src` directive would create. The impact of removal is that pages using `prefetch-src` to prevent certain prefetch requests would fail to do so. That impact will be mitigated when Noam ships the other thing mentioned above (which, ideally, would happen in the same release :) ).

As Noam notes, we have positive feedback on that proposal from other vendors, and it doesn't seem necessary to me to ask TAG whether we should remove something that's been removed from the relevant spec after discussion and agreement on an alternative.

Thanks!

-mike

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZf5ZRWhsD1pnQBoN3Leq0WSt0nW1sTXp3mveR5ojWaNw%40mail.gmail.com.

Yoav Weiss

unread,

Feb 8, 2023, 7:48:10 AM2/8/23

to Mike West, Noam Rosenthal, blink-dev

LGTM1 - as potential breakage won't be user visible and would be mitigated by other means.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Df%2BKSqPSVp51nSN02goG%3DXmhQ6F4_3qwCNVAz25O4TTuQ%40mail.gmail.com.

Chris Harrelson

unread,

Feb 8, 2023, 11:39:31 AM2/8/23

to Yoav Weiss, Mike West, Noam Rosenthal, blink-dev

LGTM2

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXstQR%2BPAYKDgAjuuyXnrt2YaCuOmAtpCzJU4K-px2Ltg%40mail.gmail.com.

Daniel Bratell

unread,

Feb 8, 2023, 12:11:57 PM2/8/23

to Chris Harrelson, Yoav Weiss, Mike West, Noam Rosenthal, blink-dev

LGTM3

/Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8aPi-SU35W-TgnS9fAXJipTeTs2qVVsv1QmDJMt6ACdA%40mail.gmail.com.

Reply all

Reply to author

Forward