Primary eng (and PM) emails
Summary
Prefetch-src was never fully adopted, but was shipped by mistake in 2021 (the flag was removed, Oops)
We’ve since changed the spec, and the replacement is in development.
Motivation
See https://github.com/w3c/webappsec-csp/issues/563
The motivation is to clean up CSP directives that are not in consensus/use.
The new least-restrictive-directive method for prefetch-src requires less churn from developers and is accepted by other vendors.
Interoperability and Compatibility Risk
There are some pages (0.02%) out there that use prefetch-src, even though it was never officially shipped in any browser (but, as said before, was mistakenly shipped by Chrome in 2021). Those pages would not get the (partial) protection that prefetch-src gives: blocking a prefetch under certain conditions. When we ship Least Restrictive Directive, which had gained consensus,
Firefox: Never implemented prefetch-src, positive on prefetch behavior alignment
Safari: positive to removal and prefetch behavior alignment
Alternative implementation suggestion for web developers
See https://chromestatus.com/feature/5553640629075968. Prefetch will by default be protected by default-src, and other directives can allow it (“least restrictive directive”). This would make protecting against exfiltration more transparent, not requiring a new directive for each type of way to fetch.
Usage information from UseCounter
There is no UseCounter for prefetch-src. HTTP-Archive shows that responses that included prefetch-src in their CSP header amounted to 0.02% of all document requests.
Entry on the feature dashboard
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYZf5ZRWhsD1pnQBoN3Leq0WSt0nW1sTXp3mveR5ojWaNw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Df%2BKSqPSVp51nSN02goG%3DXmhQ6F4_3qwCNVAz25O4TTuQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXstQR%2BPAYKDgAjuuyXnrt2YaCuOmAtpCzJU4K-px2Ltg%40mail.gmail.com.
LGTM3
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8aPi-SU35W-TgnS9fAXJipTeTs2qVVsv1QmDJMt6ACdA%40mail.gmail.com.