- From: Ilya Grigorik <igrigorik@gmail.com>
- Date: Wed, 12 Nov 2014 14:54:15 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKRe7JGjbRU4L0C-zFek0m00wKky7W0ziAyUSxMveSTtXz2SNA@mail.gmail.com>
On Tue, Nov 11, 2014 at 3:56 PM, Brian Smith <brian@briansmith.org> wrote: > On Tue, Nov 11, 2014 at 2:46 PM, Ilya Grigorik <igrigorik@gmail.com> > wrote: > >> I also noticed an interesting study of support for the HTTP LINK > >> header for rel=stylesheet [1]. It indicates that Firefox and old > >> versions of Opera are the only major browsers that support the HTTP > >> LINK header for rel=stylesheet. Perhaps it is a good idea to drop the > >> HTTP LINK header with rel=stylesheet from HTML? This would be a good > >> time to decide, because Blink is considering adding support now [2]. > > > > There are legitimate use cases for Link, we should not drop support. > > > > Resource-Hints (rel=preload in particular) is relying on Link to allow > > servers+proxies to emit resource hints without modifying the response > body. > > This is an important use case for CDN's / FEO products / BW-reduction > > proxies (Opera, Chrome, etc). > > My question was not whether we should drop support for any/all Link > relations. My question was specifically about dropping support for the > HTTP LINK header with rel=stylesheet. > Why? It's a legitimate use case, and I don't think there is anything about rel=stylesheet that can't be addressed (see below). > > > http://w3c.github.io/resource-hints/#developer-server-and-proxy-generated-hints-preload > > > > It would be good to clarify in the spec how CSP header interacts with > Link. > > I agree. And, in particular, it would be good to call out what is to > happen when <meta http-equiv=Content-Security-Policy> is used with > Link rel=preload and how it affects any/all other prefetching, > especially preloading done as part of the prescanner. "Authors are strongly encouraged to place the meta element as early in the document as possible to reduce the risk of content injection before a protective policy can be read and enforced." [1] What we're discussing here is an extension of the same problem: - Link header can initiate a download before any response body bytes are received and before <meta> policy is processed and applied. -- To guard for this, you should specify your CSP policy in the HTTP header: guarantees that the policy is applied against and before *all* requests. -- HTTP headers can be re-ordered in transit, we can require that Link fetches are delayed until headers are processed (except for Trailers). ig [1] https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element
Received on Wednesday, 12 November 2014 22:55:23 UTC