Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add "Content-Security-Policy" to speculation rules explainer #209

Closed
wants to merge 1 commit into from
Closed

Add "Content-Security-Policy" to speculation rules explainer #209

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions triggers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
- [Handler URLs](#handler-urls)
- [External speculation rules via script elements](#external-speculation-rules-via-script-elements)
- [More speculation actions](#more-speculation-actions)
- [Content-Security-Policy](#content-security-policy)
- [Proposed processing model](#proposed-processing-model)
- [Developer tooling](#developer-tooling)
- [Feature detection](#feature-detection)
Expand Down Expand Up @@ -283,6 +284,10 @@ Adding `"dns-prefetch"` and `"preconnect"`, to mirror [Resource Hints](https://w

Another envisioned speculative action is `"prefetch_with_subresources"`, which prefetches a document and then uses the HTML preload scanner to find other subresources that are worth preloading. Chromium currently does something similar (known as "[NoState Prefetch](https://developer.chrome.com/blog/nostate-prefetch/)") for `<link rel="prerender">`. But, we're not yet sure this feature is pulling its weight, in between the lightweight prefetch and the fully-instant prerender features, so it's not yet clear whether this will be worth integrating.

## Content-Security-Policy

`Speculation-Rules` is embedded in a script tag with `type="speculationrules"`. But the tag is exempted from the `script-src` restriction of the [Content-Security-Policy](https://w3c.github.io/webappsec-csp/). Instead, prefetch and prerender are restricted by the `prefetch-src` of the [Content-Security-Policy](https://w3c.github.io/webappsec-csp/). This gives the page more strict and detailed security controls. This makes more sense than using `script-src`, since `Speculation-Rules` are only using the `<script>` element for its HTML parsing behavior; `Speculation-Rules` are not executable code. At the same time, this allows the page to embed a dynamically generated `Speculation-Rules` to give a better prerendering candidate based on user actions without permitting a relaxed restriction `script-src: unsafe-inline`.

## Proposed processing model

Conceptually, the user agent may from time to time execute a task to consider speculation. (In practice, it will likely do this only in response to some sort of DOM mutation or other event that indicates the applicable rules have changed, and may limit its attention to the affected parts of the document.) Changes to the DOM that are undone within a task cannot therefore be observed by this algorithm.
Expand Down