Re: Preloading using JS instead of a tag

Mike West wrote:
> If declarative mechanisms are preferred, I wonder if an extension to
> `<base>` would be more appropriate here than an extension to `<link>`.
> `<base>` already affects resource loading across the page (in kinda
> terrible ways, but still!), and so already needs to be addressed by folks
> who aim to sanitize user input.

The interaction with CSP is also important.  A standard recommendation is
"base-uri 'none'".  Should that prevent loading bundles?  If so, what would
opting in look like?

Looking at this with a backwards compatibility perspective, it would be
nice if a CSP that permitted nonced scripts would also permit nonced
bundles, since they seem like the same category of risk?

In my case, I'm interested in using bundles in an ad tag to load multiple
ads in a single request/response.  As a third-party on publisher pages, we
need to be clear with publishers what our contract is, and as of very
recently we're committed to working correctly on any page with a strict CSP
--  If we had to ask
publishers to poke a hole for a new use of <base> we could do that, but the
clarity of "we support the recommended way of using CSP, strict CSP" is
much better than "we support the recommended way, almost, but please relax
it just for us in this little way".

Our use case is also somewhat different from what's been discussed
upthread, since we would be both the resource and the bundle that would
fulfill it from JS, and so aren't concerned about declarative specification
and preload scanning.


Received on Friday, 28 August 2020 13:46:04 UTC