- From: Daniel <notifications@github.com>
- Date: Fri, 25 Mar 2022 05:52:46 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/721/1078999514@github.com>
This proposal uses a `<script>` element to host JSON content that describes the prefech rules. This potentially conflicts with [CORB](https://chromium.googlesource.com/chromium/src/+/HEAD/services/network/cross_origin_read_blocking_explainer.md) and the proposed [ORB](https://github.com/annevk/orb) security mechanisms. Both try to prevent loading JSON resources into unexpected contexts. And JSON in `<script>` is certainly unexpected. It's not entirely clear to me whether there is actually a conflict or whether this is a near miss, but in either case I believe the interaction with CORB/ORB requires a close look. (Possibly CSP, also.) Since this concern is merely about rule representation, there should be numerous ways to avoid the issues without touching the substance of the proposal: Using something other than `<script>`, or having a unique mimetype and strictly require it, or insisting that speculation rules are always inline and won't be fetched. One could also try to modify CORB/ORB in order to accommodate Speculation Rules. The [explainer](https://github.com/WICG/nav-speculation/blob/main/triggers.md#speculation-rules) thankfully already touches on these issues, so I'm hopeful this can be resolved. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1078999514 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/721/1078999514@github.com>
Received on Friday, 25 March 2022 12:52:58 UTC