Re: Preloading using JS instead of a tag

Hi Ryosuke. Thanks for sharing concerns.

I'm wondering if we have imperative JS APIs which are *equivalent* to
declarative one, some of the security concerns will be addressed?

Imperative JS APIs can be something like:

// Tentative ideas. API surfaces do not matter for now.
  href: '',
  resources: ['', '', ...]

# Then, UA will try to load '' (the same
origin resource of the bundle) from the specified bundle, instead of the
<img src=''>

Is my understanding correct?

On Fri, Aug 28, 2020 at 2:30 PM Ryosuke Niwa <> wrote:

> On Aug 27, 2020, at 1:05 PM, Jeffrey Yasskin <> wrote:
> Hi Web Perf experts,
> We're working <> on
> using (unsigned) web bundles to help with preloading subresources. The
> current design is at
> but roughly the idea is that a page would build a bundle of the
> subresources it intends to use and put a
> <link rel="webbundle" href="/the_bundle.wbn" scope="/resources">
> with their other preloads (or one of several variations). After that,
> <script src="/resources/foo.js">
> would find the version in the bundle instead of having to fetch it
> independently.
> This isn’t about preloading is it? This will actually affect the resource
> being used by that script element. preload doesn’t do that so this is a
> pretty different feature.
> In, Krzysztof worries that
> adding any new way for a <link> tag to affect script loading is a security
> risk, because pages may not be as careful about preventing users from
> injecting <link> tags as they are about <script> tags. Instead, he suggests
> using a Javascript API to tell the browser to preload subresources using a
> bundle.
> That would be a pretty serious security risk. Putting all other objections
> against web packaging / web bundles aside, this will be a pretty big show
> stopper.
> - R. Niwa


Received on Friday, 28 August 2020 07:18:17 UTC