Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Intent to Ship: Resoure Hint "Least Restrictive" CSP

240 views
Skip to first unread message

Noam Rosenthal

unread,
Feb 15, 2023, 5:53:13 AM2/15/23
to blink-dev

Contact emails

nrose...@chromium.org

Specification

https://www.w3.org/TR/CSP3/#does-resource-hint-violate-policy

Summary

A replacement for the `prefetch-src` directive, which never got traction and was recently removed. Instead of relying on a bespoke CSP directive, <link rel=prefetch> (and later preconnect/dns-prefetch) would be allowed if *any* directive in the policy would allow fetching this URL for any reason. This is because prefetching/preconnecting does not actually do anything with the resource, but only fetches it for a later reason. This allows developers to use resource hints without needing to tweak their content security policy, while giving a tool to prevent exfiltration by having default-src block prefetches. For example: default-src * default-src 'none' script-src * would allow prefetch While `default-src 'none'` would not.



Blink component

Blink>SecurityFeature>ContentSecurityPolicy

TAG review



TAG review status

Not applicable

Risks

The impact of this would be that pages with a very restrictive CSP (e.g. `default-src: 'none' with nothing else)` will not allow prefetches,

causing a slight performance hit if they were relying on those prefetches.

This is the intended consequence though, as now those pages can prevent exfiltration via prefetch.


Interoperability and Compatibility


Gecko: Positive (https://github.com/mozilla/standards-positions/issues/723)

WebKit: Positive (https://github.com/WebKit/standards-positions/issues/114)

Web developers: No signals


WebView application risks

N/A

Debuggability

N/A

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes. See https://wpt.fyi/results/content-security-policy/resource-hints

Flag name

ResourceHintsLeastRestrictiveCSP

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1406444

Estimated milestones

112



Anticipated spec changes

No known open issues



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5553640629075968

This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Feb 15, 2023, 9:58:56 AM2/15/23
to Noam Rosenthal, blink-dev
LGTM1

Thanks for cleaning this up and landing on a solution that's ideal for developers (as CSP for prefetches would Just Work™, based on their other directives).

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbyNuJ9Hf148ai8_HCocdwsWEZrrpuf-xr7-VHE6NuHPQ%40mail.gmail.com.

Mike Taylor

unread,
Feb 15, 2023, 11:24:25 AM2/15/23
to Yoav Weiss, Noam Rosenthal, blink-dev
LGTM2

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUHUQxsnysa9HJderSPRLLZ4Xa_vKO-bk9J_nQ9xi2t6w%40mail.gmail.com.

Noam Rosenthal

unread,
Feb 22, 2023, 2:07:17 AM2/22/23
to Mike Taylor, Yoav Weiss, blink-dev
Anyone for a LGTM3? :)

Philip Jägenstedt

unread,
Feb 22, 2023, 11:34:30 AM2/22/23
to Noam Rosenthal, Mike Taylor, Yoav Weiss, blink-dev
LGTM3

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbvVH_daeStxwBW6pgMuVY6o2Y39TfiESvWz1jBQJm5Lg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages