Re: Preloading using JS instead of a tag from Hayato Ito on 2020-08-28 (public-web-perf@w3.org from August 2020)

From: Hayato Ito <hayato@google.com>
Date: Fri, 28 Aug 2020 16:17:50 +0900
To: Ryosuke Niwa <rniwa@apple.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, public-web-perf <public-web-perf@w3.org>, Krzysztof Kotowicz <koto@google.com>
Message-ID: <CAFpjS_1+4zfiRf_xOOHp8OES0xYy8sRYyUyOQ2sbZusnQ=F-Qg@mail.gmail.com>

Hi Ryosuke. Thanks for sharing concerns.

I'm wondering if we have imperative JS APIs which are *equivalent* to
declarative one, some of the security concerns will be addressed?

Imperative JS APIs can be something like:

<script>
// Tentative ideas. API surfaces do not matter for now.
document.webbundles.add({
  href: 'https://www.exmaple.com/foo.wbn',
  resources: ['https://www.exmaple.com/a.png', '
https://www.exmaple.com/b.css', ...]
});
</script>

# Then, UA will try to load 'https://www.exmaple.com/a.png' (the same
origin resource of the bundle) from the specified bundle, instead of the
network.
<img src='https://www.exmaple.com/a.png'>

Is my understanding correct?

On Fri, Aug 28, 2020 at 2:30 PM Ryosuke Niwa <rniwa@apple.com> wrote:

>
> On Aug 27, 2020, at 1:05 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:
>
> Hi Web Perf experts,
>
> We're working <https://www.chromestatus.com/feature/5710618575241216> on
> using (unsigned) web bundles to help with preloading subresources. The
> current design is at
> https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md,
> but roughly the idea is that a page would build a bundle of the
> subresources it intends to use and put a
>
> <link rel="webbundle" href="/the_bundle.wbn" scope="/resources">
>
> with their other preloads (or one of several variations). After that,
>
> <script src="/resources/foo.js">
>
> would find the version in the bundle instead of having to fetch it
> independently.
>
>
> This isn’t about preloading is it? This will actually affect the resource
> being used by that script element. preload doesn’t do that so this is a
> pretty different feature.
>
> In https://github.com/WICG/webpackage/issues/580, Krzysztof worries that
> adding any new way for a <link> tag to affect script loading is a security
> risk, because pages may not be as careful about preventing users from
> injecting <link> tags as they are about <script> tags. Instead, he suggests
> using a Javascript API to tell the browser to preload subresources using a
> bundle.
>
>
> That would be a pretty serious security risk. Putting all other objections
> against web packaging / web bundles aside, this will be a pretty big show
> stopper.
>
> - R. Niwa
>
>

-- 
Hayato

Received on Friday, 28 August 2020 07:18:17 UTC