- From: Jeff Kaufman <jefftk@google.com>
- Date: Fri, 28 Aug 2020 09:45:36 -0400
- To: public-web-perf@w3.org
- Message-ID: <CAMJ6YUvPiv9ZvbJoH7-f07nKXPZ=c+2mpqQHQE7qEjaeg2mgTg@mail.gmail.com>
Mike West wrote: > > If declarative mechanisms are preferred, I wonder if an extension to > `<base>` would be more appropriate here than an extension to `<link>`. > `<base>` already affects resource loading across the page (in kinda > terrible ways, but still!), and so already needs to be addressed by folks > who aim to sanitize user input. > The interaction with CSP is also important. A standard recommendation is "base-uri 'none'". Should that prevent loading bundles? If so, what would opting in look like? Looking at this with a backwards compatibility perspective, it would be nice if a CSP that permitted nonced scripts would also permit nonced bundles, since they seem like the same category of risk? In my case, I'm interested in using bundles in an ad tag to load multiple ads in a single request/response. As a third-party on publisher pages, we need to be clear with publishers what our contract is, and as of very recently we're committed to working correctly on any page with a strict CSP -- https://csp.withgoogle.com/docs/strict-csp.html. If we had to ask publishers to poke a hole for a new use of <base> we could do that, but the clarity of "we support the recommended way of using CSP, strict CSP" is much better than "we support the recommended way, almost, but please relax it just for us in this little way". Our use case is also somewhat different from what's been discussed upthread, since we would be both the resource and the bundle that would fulfill it from JS, and so aren't concerned about declarative specification and preload scanning. Jeff
Received on Friday, 28 August 2020 13:46:04 UTC