From ed63051676ca23c658895053dc9669b1242a2b8a Mon Sep 17 00:00:00 2001 From: Takashi Toyoshima Date: Fri, 18 Nov 2022 20:10:48 +0900 Subject: [PATCH 1/2] Add "Content-Security-Policy" to speculation rules explainer The new section explains how the prerender and prefetch follow the Content-Security-Policy. They respect the existing `script-src`, but `inline-speculation-rules` is also added as a new source to permit inline speculationrules. --- triggers.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/triggers.md b/triggers.md index 8dfcad2..b320442 100644 --- a/triggers.md +++ b/triggers.md @@ -21,6 +21,7 @@ - [Handler URLs](#handler-urls) - [External speculation rules via script elements](#external-speculation-rules-via-script-elements) - [More speculation actions](#more-speculation-actions) + - [Content-Security-Policy](#content-security-policy) - [Proposed processing model](#proposed-processing-model) - [Developer tooling](#developer-tooling) - [Feature detection](#feature-detection) @@ -283,6 +284,13 @@ Adding `"dns-prefetch"` and `"preconnect"`, to mirror [Resource Hints](https://w Another envisioned speculative action is `"prefetch_with_subresources"`, which prefetches a document and then uses the HTML preload scanner to find other subresources that are worth preloading. Chromium currently does something similar (known as "[NoState Prefetch](https://developer.chrome.com/blog/nostate-prefetch/)") for ``. But, we're not yet sure this feature is pulling its weight, in between the lightweight prefetch and the fully-instant prerender features, so it's not yet clear whether this will be worth integrating. +### Content-Security-Policy + +`Speculation-Rules` is embedded as an inline declarationt within a script tag with type=”speculationrules”, and restricted by the `script-src` restriction of the `Content-Security-Policy`. +To control the availability to inject an inline `Speculation-Rules`, `'inline-speculation-rules'` is available in addition to `‘unsafe-inline’`. +This helps developers to permit only inline `Speculation-Rules` but still to disallow unsafe inline JavaScript. +`prefetch-src` is also used to restrict target URLs. + ## Proposed processing model Conceptually, the user agent may from time to time execute a task to consider speculation. (In practice, it will likely do this only in response to some sort of DOM mutation or other event that indicates the applicable rules have changed, and may limit its attention to the affected parts of the document.) Changes to the DOM that are undone within a task cannot therefore be observed by this algorithm. From 9df62a51ecb234c7fcfc78667ba2886bad14c0ea Mon Sep 17 00:00:00 2001 From: Takashi Toyoshima Date: Tue, 22 Nov 2022 21:57:54 +0900 Subject: [PATCH 2/2] Apply suggestions from code review Rephrasing for better explanations and replacing `Speculation-Rules` with just "speculation rules" as the former is used to represent the HTTP header name. Co-authored-by: Jeremy Roman --- triggers.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/triggers.md b/triggers.md index b320442..7fef64a 100644 --- a/triggers.md +++ b/triggers.md @@ -286,10 +286,10 @@ Another envisioned speculative action is `"prefetch_with_subresources"`, which p ### Content-Security-Policy -`Speculation-Rules` is embedded as an inline declarationt within a script tag with type=”speculationrules”, and restricted by the `script-src` restriction of the `Content-Security-Policy`. -To control the availability to inject an inline `Speculation-Rules`, `'inline-speculation-rules'` is available in addition to `‘unsafe-inline’`. -This helps developers to permit only inline `Speculation-Rules` but still to disallow unsafe inline JavaScript. -`prefetch-src` is also used to restrict target URLs. +Speculation rules can be embedded inline within a `script` tag with `type="speculationrules"`, and restricted by the `script-src` CSP directive. +To allow inline speculation rules, use either the `'inline-speculation-rules'` or `'unsafe-inline'` keyword. +Using `script-src 'inline-speculation-rules'` helps developers to permit inline speculation rules but still disallow unsafe inline JavaScript. +The `prefetch-src` directive can be used to restrict which URLs can be prefetched or prerendered. ## Proposed processing model