- From: Krzysztof Kotowicz <koto@google.com>
- Date: Fri, 28 Aug 2020 12:01:24 +0200
- To: Yoav Weiss <yoavweiss@google.com>
- Cc: Mike West <mkwst@google.com>, Hayato Ito <hayato@google.com>, Ryosuke Niwa <rniwa@apple.com>, Jeffrey Yasskin <jyasskin@google.com>, public-web-perf <public-web-perf@w3.org>
- Message-ID: <CAJCw+vuwrOZQ4YJnmLSYW9w2TEXOFTKdvJBZCw6SFN690qd13A@mail.gmail.com>
On Fri, Aug 28, 2020 at 11:49 AM Yoav Weiss <yoavweiss@google.com> wrote:
> If we want WebBundles to fit into today's pages (which e.g. include
> `<script src>` tags), we need an imperative mechanism to load them and tell
> the browser about the resources they contain.
> An imperative mechanism to load them would only be effective for
> dynamically loaded resources, which are inherently slower to discover. It
> would be a shame if we ended up encouraging that pattern.
>
> Would moving away from `<link>` to e.g. `<base>` (as Mike suggested) or
> `<script type=bundle>` address your concerns?
>
I would prefer base or script, yes. But is the raciness problem solved,
given that DOM is mutable from JS? That would need to be addressed anyhow
if I understand correctly.
>
> On Fri, Aug 28, 2020 at 11:33 AM Krzysztof Kotowicz <koto@google.com>
> wrote:
>
>> The DOM tree can also change dynamically. If the element that controls
>> the bundle loading is inserted via JS, would that also affect raciness? If
>> so, there's little way around it, short of ignoring the behavior when added
>> dynamically (which might be surprising for authors).
>>
>> On Fri, Aug 28, 2020 at 10:58 AM Yoav Weiss <yoavweiss@google.com> wrote:
>>
>>> An imperative mechanism to load bundles would be inherently racy - the
>>> preloadScanner would not be aware of it, and can kick off script requests
>>> before their bundles are discovered.
>>>
>>> If `<link>` is a risky choice here, I'm fine with a different tag to do
>>> the same. I have no strong opinion regarding what would be a good
>>> alternative.
>>>
>>> On Fri, Aug 28, 2020 at 10:44 AM Mike West <mkwst@google.com> wrote:
>>>
>>>> I don't have a strong opinion about the mechanism, but I do think the
>>>> risk ascribed to the `<link>` approach is real.
>>>>
>>>> If declarative mechanisms are preferred, I wonder if an extension to
>>>> `<base>` would be more appropriate here than an extension to `<link>`.
>>>> `<base>` already affects resource loading across the page (in kinda
>>>> terrible ways, but still!), and so already needs to be addressed by folks
>>>> who aim to sanitize user input.
>>>>
>>>> It also is suggested to be invalid outside of `<head>`, which would be
>>>> similarly helpful if browsers implemented that as a requirement; there
>>>> doesn't seem to be a WPT for it, and Chromium at least would fail.
>>>>
>>>> -mike
>>>>
>>>>
>>>> On Fri, Aug 28, 2020 at 9:18 AM Hayato Ito <hayato@google.com> wrote:
>>>>
>>>>> Hi Ryosuke. Thanks for sharing concerns.
>>>>>
>>>>> I'm wondering if we have imperative JS APIs which are *equivalent* to
>>>>> declarative one, some of the security concerns will be addressed?
>>>>>
>>>>> Imperative JS APIs can be something like:
>>>>>
>>>>> <script>
>>>>> // Tentative ideas. API surfaces do not matter for now.
>>>>> document.webbundles.add({
>>>>> href: 'https://www.exmaple.com/foo.wbn',
>>>>> resources: ['https://www.exmaple.com/a.png', '
>>>>> https://www.exmaple.com/b.css', ...]
>>>>> });
>>>>> </script>
>>>>>
>>>>> # Then, UA will try to load 'https://www.exmaple.com/a.png' (the same
>>>>> origin resource of the bundle) from the specified bundle, instead of the
>>>>> network.
>>>>> <img src='https://www.exmaple.com/a.png'>
>>>>>
>>>>> Is my understanding correct?
>>>>>
>>>>> On Fri, Aug 28, 2020 at 2:30 PM Ryosuke Niwa <rniwa@apple.com> wrote:
>>>>>
>>>>>>
>>>>>> On Aug 27, 2020, at 1:05 PM, Jeffrey Yasskin <jyasskin@google.com>
>>>>>> wrote:
>>>>>>
>>>>>> Hi Web Perf experts,
>>>>>>
>>>>>> We're working <https://www.chromestatus.com/feature/5710618575241216>
>>>>>> on using (unsigned) web bundles to help with preloading subresources. The
>>>>>> current design is at
>>>>>> https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md,
>>>>>> but roughly the idea is that a page would build a bundle of the
>>>>>> subresources it intends to use and put a
>>>>>>
>>>>>> <link rel="webbundle" href="/the_bundle.wbn" scope="/resources">
>>>>>>
>>>>>> with their other preloads (or one of several variations). After that,
>>>>>>
>>>>>> <script src="/resources/foo.js">
>>>>>>
>>>>>> would find the version in the bundle instead of having to fetch it
>>>>>> independently.
>>>>>>
>>>>>>
>>>>>> This isn’t about preloading is it? This will actually affect the
>>>>>> resource being used by that script element. preload doesn’t do that so this
>>>>>> is a pretty different feature.
>>>>>>
>>>>>> In https://github.com/WICG/webpackage/issues/580, Krzysztof worries
>>>>>> that adding any new way for a <link> tag to affect script loading is a
>>>>>> security risk, because pages may not be as careful about preventing users
>>>>>> from injecting <link> tags as they are about <script> tags. Instead, he
>>>>>> suggests using a Javascript API to tell the browser to preload subresources
>>>>>> using a bundle.
>>>>>>
>>>>>>
>>>>>> That would be a pretty serious security risk. Putting all other
>>>>>> objections against web packaging / web bundles aside, this will be a pretty
>>>>>> big show stopper.
>>>>>>
>>>>>> - R. Niwa
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Hayato
>>>>>
>>>>
>>
>> --
>> koto@ / Krzysztof Kotowicz / Google
>>
>
--
koto@ / Krzysztof Kotowicz / Google
Received on Friday, 28 August 2020 10:01:54 UTC