Re: [w3ctag/design-reviews] Design Review: Speculation Rules (Prefetch) (Issue #721)

Hi. We have delta updates on how the speculation rules should interact with Content Security Policy.

Explainer: https://github.com/WICG/nav-speculation/blob/main/triggers.md#content-security-policy

We added `Content Security Policy` section to clarify how the speculation rules interact with existing Content Security Policy, and explain the new source keyword "`inline-speculation-rules`".

We also added `Content Security Policy` section to the speculation rules spec, in order to explain the motivation and to show spec patches for Content Security Policy.
Spec (diff): https://storage.googleapis.com/spec-previews/WICG/nav-speculation/pull/245/diff/speculation-rules.html

Tests:
- https://github.com/web-platform-tests/wpt/blob/master/speculation-rules/prerender/csp-script-src-elem-inline-speculation-rules.tentative.html
- https://github.com/web-platform-tests/wpt/blob/master/speculation-rules/prerender/csp-script-src-inline-speculation-rules.tentative.html

Chrome Status: https://chromestatus.com/feature/5182859125456896

In short, we clarify how the speculation rules are handled in CSP, and provide a new source keyword to permit safe inline speculation rules without allowing unsafe inline script under the strict CSP environment. Here is an example use.

```
<meta http-equiv="Content-Security-Policy" content="script-src 'inline-speculation-rules'">

<!-- this just works!! -->
<script type="speculationrules">
...
</script>

<!-- this causes a CSP violation -->
<script>
console.log('hellow');
</script>
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/721#issuecomment-1461312356
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/721/1461312356@github.com>