- From: Noam Rosenthal <notifications@github.com>
- Date: Mon, 14 Mar 2022 05:01:20 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1409/c1066701872@github.com>
> > @yoavweiss do you know where this feature got discussed before including the security implications, how this should relate to CSP, Referer headers, etc? > > @annevk - this was discussed at the time (~2015, IIRC), but no particular concerns were raised. (some concerns were raised [later](https://bugs.chromium.org/p/chromium/issues/detail?id=990647)) If there are security/privacy issues with this, we can rediscuss. May be interesting to see how often this is used in Chromium, but in any case, breaking this is unlikely to result in compat issues, as Link headers can't define load/error event handlers. > > With regards to why this is supported, I can see a clear use case for active content preloading depedent subresources (e.g. a script loading a dependent script it knows it'll need, or a CSS preloading a dependent BG image of font). I see less of a use case for passive content (e.g. images), so would be more open to disabling preloads there. I can see how this would be a security/privacy concern. Thinking of a document with no-cors images only and no CSP, images might generate link headers to CORS resources, causing unexpected fetches and perhaps exfiltration. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1409#issuecomment-1066701872 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1409/c1066701872@github.com>
Received on Monday, 14 March 2022 12:01:31 UTC