Re: Preloading using JS instead of a tag from Krzysztof Kotowicz on 2020-08-28 (public-web-perf@w3.org from August 2020)

From: Krzysztof Kotowicz <koto@google.com>
Date: Fri, 28 Aug 2020 10:36:20 +0200
To: Hayato Ito <hayato@google.com>
Cc: Ryosuke Niwa <rniwa@apple.com>, Jeffrey Yasskin <jyasskin@google.com>, public-web-perf <public-web-perf@w3.org>
Message-ID: <CAJCw+vu8jE28PodwK_-JFDw640JDjMKWwMXCbWa_LgL7EOH=-g@mail.gmail.com>

That's what I'm proposing. Imperative way of altering loads, not
declarative one, and definitely not in HTML syntax.

On Fri, Aug 28, 2020 at 9:18 AM Hayato Ito <hayato@google.com> wrote:

> Hi Ryosuke. Thanks for sharing concerns.
>
> I'm wondering if we have imperative JS APIs which are *equivalent* to
> declarative one, some of the security concerns will be addressed?
>
> Imperative JS APIs can be something like:
>
> <script>
> // Tentative ideas. API surfaces do not matter for now.
> document.webbundles.add({
>   href: 'https://www.exmaple.com/foo.wbn',
>   resources: ['https://www.exmaple.com/a.png', '
> https://www.exmaple.com/b.css', ...]
> });
> </script>
>
> # Then, UA will try to load 'https://www.exmaple.com/a.png' (the same
> origin resource of the bundle) from the specified bundle, instead of the
> network.
> <img src='https://www.exmaple.com/a.png'>
>
> Is my understanding correct?
>
> On Fri, Aug 28, 2020 at 2:30 PM Ryosuke Niwa <rniwa@apple.com> wrote:
>
>>
>> On Aug 27, 2020, at 1:05 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:
>>
>> Hi Web Perf experts,
>>
>> We're working <https://www.chromestatus.com/feature/5710618575241216> on
>> using (unsigned) web bundles to help with preloading subresources. The
>> current design is at
>> https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md,
>> but roughly the idea is that a page would build a bundle of the
>> subresources it intends to use and put a
>>
>> <link rel="webbundle" href="/the_bundle.wbn" scope="/resources">
>>
>> with their other preloads (or one of several variations). After that,
>>
>> <script src="/resources/foo.js">
>>
>> would find the version in the bundle instead of having to fetch it
>> independently.
>>
>>
>> This isn’t about preloading is it? This will actually affect the resource
>> being used by that script element. preload doesn’t do that so this is a
>> pretty different feature.
>>
>> In https://github.com/WICG/webpackage/issues/580, Krzysztof worries that
>> adding any new way for a <link> tag to affect script loading is a security
>> risk, because pages may not be as careful about preventing users from
>> injecting <link> tags as they are about <script> tags. Instead, he suggests
>> using a Javascript API to tell the browser to preload subresources using a
>> bundle.
>>
>>
>> That would be a pretty serious security risk. Putting all other
>> objections against web packaging / web bundles aside, this will be a pretty
>> big show stopper.
>>
>> - R. Niwa
>>
>>
>
> --
> Hayato
>


-- 
koto@ / Krzysztof Kotowicz / Google

Received on Friday, 28 August 2020 09:35:04 UTC