- From: Yoav Weiss <yoavweiss@google.com>
- Date: Fri, 28 Aug 2020 10:57:59 +0200
- To: Mike West <mkwst@google.com>
- Cc: Hayato Ito <hayato@google.com>, Ryosuke Niwa <rniwa@apple.com>, Jeffrey Yasskin <jyasskin@google.com>, public-web-perf <public-web-perf@w3.org>, Krzysztof Kotowicz <koto@google.com>
- Message-ID: <CAL5BFfUmpQ=CG26zNJqQ=G+0LtkY-zmLV6f0FYAPamu4o4fFrg@mail.gmail.com>
An imperative mechanism to load bundles would be inherently racy - the preloadScanner would not be aware of it, and can kick off script requests before their bundles are discovered. If `<link>` is a risky choice here, I'm fine with a different tag to do the same. I have no strong opinion regarding what would be a good alternative. On Fri, Aug 28, 2020 at 10:44 AM Mike West <mkwst@google.com> wrote: > I don't have a strong opinion about the mechanism, but I do think the risk > ascribed to the `<link>` approach is real. > > If declarative mechanisms are preferred, I wonder if an extension to > `<base>` would be more appropriate here than an extension to `<link>`. > `<base>` already affects resource loading across the page (in kinda > terrible ways, but still!), and so already needs to be addressed by folks > who aim to sanitize user input. > > It also is suggested to be invalid outside of `<head>`, which would be > similarly helpful if browsers implemented that as a requirement; there > doesn't seem to be a WPT for it, and Chromium at least would fail. > > -mike > > > On Fri, Aug 28, 2020 at 9:18 AM Hayato Ito <hayato@google.com> wrote: > >> Hi Ryosuke. Thanks for sharing concerns. >> >> I'm wondering if we have imperative JS APIs which are *equivalent* to >> declarative one, some of the security concerns will be addressed? >> >> Imperative JS APIs can be something like: >> >> <script> >> // Tentative ideas. API surfaces do not matter for now. >> document.webbundles.add({ >> href: 'https://www.exmaple.com/foo.wbn', >> resources: ['https://www.exmaple.com/a.png', ' >> https://www.exmaple.com/b.css', ...] >> }); >> </script> >> >> # Then, UA will try to load 'https://www.exmaple.com/a.png' (the same >> origin resource of the bundle) from the specified bundle, instead of the >> network. >> <img src='https://www.exmaple.com/a.png'> >> >> Is my understanding correct? >> >> On Fri, Aug 28, 2020 at 2:30 PM Ryosuke Niwa <rniwa@apple.com> wrote: >> >>> >>> On Aug 27, 2020, at 1:05 PM, Jeffrey Yasskin <jyasskin@google.com> >>> wrote: >>> >>> Hi Web Perf experts, >>> >>> We're working <https://www.chromestatus.com/feature/5710618575241216> >>> on using (unsigned) web bundles to help with preloading subresources. The >>> current design is at >>> https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md, >>> but roughly the idea is that a page would build a bundle of the >>> subresources it intends to use and put a >>> >>> <link rel="webbundle" href="/the_bundle.wbn" scope="/resources"> >>> >>> with their other preloads (or one of several variations). After that, >>> >>> <script src="/resources/foo.js"> >>> >>> would find the version in the bundle instead of having to fetch it >>> independently. >>> >>> >>> This isn’t about preloading is it? This will actually affect the >>> resource being used by that script element. preload doesn’t do that so this >>> is a pretty different feature. >>> >>> In https://github.com/WICG/webpackage/issues/580, Krzysztof worries >>> that adding any new way for a <link> tag to affect script loading is a >>> security risk, because pages may not be as careful about preventing users >>> from injecting <link> tags as they are about <script> tags. Instead, he >>> suggests using a Javascript API to tell the browser to preload subresources >>> using a bundle. >>> >>> >>> That would be a pretty serious security risk. Putting all other >>> objections against web packaging / web bundles aside, this will be a pretty >>> big show stopper. >>> >>> - R. Niwa >>> >>> >> >> -- >> Hayato >> >
Received on Friday, 28 August 2020 08:58:39 UTC