- From: Domenic Denicola <notifications@github.com>
- Date: Thu, 01 Sep 2022 21:04:01 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/721/1235043792@github.com>
Hi TAG. We have a slight expansion to this feature coming up, which I will drop a comment about here instead of opening a new issue. However please let me know if it'd be more helpful to open something new, especially since what I'm asking about is *prerendering* and this review at least started being about *prefetch*. Chrome shipped same-origin prerendering, based on speculation rules, in May. We're now looking to expand this to cover cross-origin same-site prerendering, i.e. cases like `https://a.example.com/` prerendering `https://b.example.com/`. This *will* include credentials/storage access, since those are site keyed, but it will also require an opt-in from the target site via a new HTTP response header, `Supports-Loading-Mode: credentialed-prerender`, to protect the origin security boundary. We've updated the spec and explainer in https://github.com/WICG/nav-speculation/commit/16570ff808267383a393064ff951b764911be78f , with perhaps the most relevant reading being: - A new [section of the prerendering explainer](https://github.com/WICG/nav-speculation/blob/main/prerendering-same-site.md#more-details-on-cross-origin-same-site) giving our full analysis of what this expansion does in terms of security and privacy properties. - The overall [`Supports-Loading-Mode` explainer](https://github.com/WICG/nav-speculation/blob/main/opt-in.md) (which includes a few values we aren't yet shipping, such as `uncredentialed-prerender`). - [The `Supports-Loading-Mode` spec](https://wicg.github.io/nav-speculation/prerendering.html#supports-loading-mode), as well as [where it is used in the main fetching part of the prerendering spec](https://wicg.github.io/nav-speculation/prerendering.html#navigate-fetch-patch). We've also updated the [relevant security & privacy questionnaire](https://github.com/WICG/nav-speculation/blob/main/prerendering-same-site-security-privacy-questionnaire.md), but none of the questions there were directly relevant to this expansion; probably the new section mentioned above is the most useful from a security and privacy perspective. Thanks for your time! -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1235043792 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/721/1235043792@github.com>
Received on Friday, 2 September 2022 04:04:13 UTC