- From: Guy Bedford <guybedford@gmail.com>
- Date: Sat, 6 Mar 2021 10:34:12 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAGu7HEn7bKrHcpP7NhLW0w+jDb_DyHj2TYKGM2tXV8NpfC07wA@mail.gmail.com>
Hi I'd like to propose a variation of <link rel="preload"> for setting resource integrity, that can support lazy loaded resources. Many resources like CSS are lazy loaded via injection into the DOM, where this injection can be associated with integrity metadata at the time of injection. But often finding and adding the integrity to that exact injection code presents a massive adoption friction point to the goal of a web application where all resources after the first HTML load are served with integrity to allow reducing third-party server trust requirements. Integrities change so need to be regularly updated - and if the integrities are stored in code, that means running injection operations against complex code patterns. In 2018 Subresource Integrity was extended to support `<link rel="preload">` tags, allowing for resources with integrity restrictions to fully support preloading via the `integrity` attribute on the preload link tag. See https://chromestatus.com/feature/4967277059375104 for some further background on this. The problem with this technique is it isn't useful for lazy resources where the bandwidth should be spared from the critical load path, while the integrity should still be provided at load time. The proposal would be for a variation of the <link rel="preload" integrity="..."> pattern that can support lazy loading of resources. There are likely two major ways to achieve this: 1. Varying the priority of the preload - perhaps having an attribute like <link rel="preload" priority="when-idle"> or "lazy" etc to indicate resources should not block the critical load of the page. 2. A simpler "boolean" attribute to indicate the preload is lazy <link rel="preload" lazy> or as appropriate. With such a tag, the dynamic injection code for lazy resources can be uncoupled from the exact subresource integrity string, and the main HTML page can be used to include this metadata for lazy resources without incurring their full network cost during page initialization. I think it would be a powerful new primative for constructing full integrity for web applications. Further feedback very welcome! Guy Bedford
Received on Saturday, 6 March 2021 08:35:31 UTC