- From: Antonio Sartori <notifications@github.com>
- Date: Wed, 24 Sep 2025 02:33:25 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1841/review/3262030521@github.com>
@antosart commented on this pull request. > <td>"<code>report</code>" - <td rowspan=2>— + <td rowspan=3>— If I understand correctly, fetches do indeed happen after the policy container is created from the navigation response. However, the current proposal is to have Speculation-Rules headers explicitly bypass CSP by allowlisting the "speculationrules" destination in CSP (https://github.com/w3c/webappsec-csp/pull/776). Digging a bit, that seem to be the result of experiments and discussion (see https://chromestatus.com/feature/5123809745829888?gate=5093909324365824). I expect the reason for this to be rooted in the attempt of CSP to do (at least) two things at the same time, i.e. control script execution and gate outgoing requests (which in the case of `script-src` end up colliding even if they are conceptually distinct - fetching a script content is not the same as executing it). Gating the Speculation-Rules header behind script-src would make it impossible to use the feature with [strict CSP](https://csp.withgoogle.com/docs/strict-csp.html). Gating it behind something else (e.g. connect-src) could be somehow confusing given that the other way to specify speculationrules is in a script tag (for which script-src does apply). It's not totally clear to me what the best option is here, but I think it would make sense to have some record/explanation of why the choice was made. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1841#discussion_r2375179049 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1841/review/3262030521@github.com>
Received on Wednesday, 24 September 2025 09:33:29 UTC