Re: Preloading using JS instead of a tag

> On Aug 27, 2020, at 1:05 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:
> 
> Hi Web Perf experts,
> 
> We're working <https://www.chromestatus.com/feature/5710618575241216> on using (unsigned) web bundles to help with preloading subresources. The current design is at https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md <https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md>, but roughly the idea is that a page would build a bundle of the subresources it intends to use and put a
> 
> <link rel="webbundle" href="/the_bundle.wbn" scope="/resources">
> 
> with their other preloads (or one of several variations). After that,
> 
> <script src="/resources/foo.js">
> 
> would find the version in the bundle instead of having to fetch it independently.

This isn’t about preloading is it? This will actually affect the resource being used by that script element. preload doesn’t do that so this is a pretty different feature.

> In https://github.com/WICG/webpackage/issues/580 <https://github.com/WICG/webpackage/issues/580>, Krzysztof worries that adding any new way for a <link> tag to affect script loading is a security risk, because pages may not be as careful about preventing users from injecting <link> tags as they are about <script> tags. Instead, he suggests using a Javascript API to tell the browser to preload subresources using a bundle.

That would be a pretty serious security risk. Putting all other objections against web packaging / web bundles aside, this will be a pretty big show stopper.

- R. Niwa

Received on Friday, 28 August 2020 05:30:33 UTC