Add the "speculationrules" destination #1841
Conversation
Part of whatwg/html#11426, for requests initiated by the `Speculation-Rules` HTTP header.
|
This is ready to merge! |
| <td rowspan=22>"" | ||
| <td>"<code>report</code>" | ||
| <td rowspan=2>— | ||
| <td rowspan=3>— |
There was a problem hiding this comment.
Are you sure this is accurate? Wouldn't this be governed by connect-src at least?
There was a problem hiding this comment.
No, per discussion with CSP folks, header-initiated fetches are not generally governed by CSP at all. The reasoning is that CSP is a mechanism for protection against HTML injection defense, not header-injection defense; if an attacker can inject headers, then they can mess up your CSP and do all sorts of bad things.
I guess Link might be governed by CSP, but that's more of a historical accident...
There was a problem hiding this comment.
I'm not sure I agree with that.
I think it also depends on the order the headers are processed in. If the CSP header is processed first (and I hope that it is), any fetch following it would automatically be subject to CSP.
There was a problem hiding this comment.
Yeah, not sure, probably something to discuss with the CSP spec editors if you want to make changes to that policy...
There was a problem hiding this comment.
@antosart mind chiming in?
I think in the HTML standard we create a policy container from navigation response first thing and I wouldn't expect us to fetch anything else before that is complete. (This happens deep into https://html.spec.whatwg.org/#create-navigation-params-by-fetching if I'm reading things correctly.)
Are you also suggesting for instance that we would not take Referrer Policy into account here?
There was a problem hiding this comment.
If I understand correctly, fetches do indeed happen after the policy container is created from the navigation response. However, the current proposal is to have Speculation-Rules headers explicitly bypass CSP by allowlisting the "speculationrules" destination in CSP (w3c/webappsec-csp#776). Digging a bit, that seem to be the result of experiments and discussion (see https://chromestatus.com/feature/5123809745829888?gate=5093909324365824).
I expect the reason for this to be rooted in the attempt of CSP to do (at least) two things at the same time, i.e. control script execution and gate outgoing requests (which in the case of script-src end up colliding even if they are conceptually distinct - fetching a script content is not the same as executing it). Gating the Speculation-Rules header behind script-src would make it impossible to use the feature with strict CSP. Gating it behind something else (e.g. connect-src) could be somehow confusing given that the other way to specify speculationrules is in a script tag (for which script-src does apply). It's not totally clear to me what the best option is here, but I think it would make sense to have some record/explanation of why the choice was made.
There was a problem hiding this comment.
I don't think that the usage of <script> necessarily implies script-src. script-src makes sense when the result is script execution, but if we were to use <script> for JSON modules or some such it shouldn't use script-src but the same thing that the "json" destination devolves into. I think the same kind of rationale applies here, which I suspect means connect-src in the end.
I know some at Google don't care about the exfiltration angle of CSP, but I don't think we have ever reached agreement on giving up on it, so until we get there I think new fetch contexts should play by the same rules as existing ones.
Part of whatwg/html#11426, for requests initiated by the
Speculation-RulesHTTP header.This should be merged a bit after whatwg/html#11426. Otherwise it will reference the WICG draft.
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff