- From: Yoav Weiss <notifications@github.com>
- Date: Mon, 14 Mar 2022 00:31:04 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 14 March 2022 07:31:17 UTC
> @yoavweiss do you know where this feature got discussed before including the security implications, how this should relate to CSP, Referer headers, etc? @annevk - this was discussed at the time (~2015, IIRC), but no particular concerns were raised. (some concerns were raised [later](https://bugs.chromium.org/p/chromium/issues/detail?id=990647)) If there are security/privacy issues with this, we can rediscuss. May be interesting to see how often this is used in Chromium, but in any case, breaking this is unlikely to result in compat issues, as Link headers can't define load/error event handlers. With regards to why this is supported, I can see a clear use case for active content preloading depedent subresources (e.g. a script loading a dependent script it knows it'll need, or a CSS preloading a dependent BG image of font). I see less of a use case for passive content (e.g. images), so would be more open to disabling preloads there. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1409#issuecomment-1066463306 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1409/c1066463306@github.com>
Received on Monday, 14 March 2022 07:31:17 UTC