Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update prefetch link once the spec and implementations are finalized #23553

Closed
noamr opened this issue Jan 11, 2023 · 12 comments
Closed

Update prefetch link once the spec and implementations are finalized #23553

noamr opened this issue Jan 11, 2023 · 12 comments
Labels
Content:Glossary Glossary entries

Comments

@noamr
Copy link
Contributor

noamr commented Jan 11, 2023

MDN URL

https://developer.mozilla.org/en-US/docs/Glossary/Prefetch

What specific section or headline is this issue about?

No response

What information was incorrect, unhelpful, or incomplete?

The current text accurate-ish to the current Firefox implementation, but that's about to change:

  • Use Sec-Purpose instead of Purpose or x-moz
  • Accept header is the same as the one for regular address-bar browsing
  • CSP: uses "least restrictive directive" rather than prefetch-src

What did you expect to see?

I expect the page to reflect how prefetch works in an interoperable way (once reality catches up with that...)

Do you have any supporting links, references, or citations?

See HTML PR: whatwg/html#8111

Do you have anything more you want to share?

No response
@noamr noamr added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Jan 11, 2023
@github-actions github-actions bot added the Content:Glossary Glossary entries label Jan 11, 2023
@noamr noamr mentioned this issue Jan 11, 2023
Merged
4 tasks
@sideshowbarker sideshowbarker added help wanted If you know something about this topic, we would love your help! waiting for implementations Waiting for feature to be implemented in browsers and removed needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. labels Jan 12, 2023
@hamishwillee
Copy link
Collaborator

FYI, FF supports Sec-Purpose: prefetch from FF115 so I will be trying to document that shortly in #27171.

@noamr It would be good to have help writing a vendor neutral version of https://developer.mozilla.org/en-US/docs/Glossary/Prefetch if you have advice.

I also found this doc, which I think should be deleted: https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ

@noamr
Copy link
Contributor Author

noamr commented Jun 19, 2023
edited
Loading

FYI, FF supports Sec-Purpose: prefetch from FF115 so I will be trying to document that shortly in #27171.

Amazing.

@noamr It would be good to have help writing a vendor neutral version of https://developer.mozilla.org/en-US/docs/Glossary/Prefetch if you have advice.

Yes it would be great! I suggest starting with the spec, and ask if anything is missing/needs clarifying?

I also found this doc, which I think should be deleted: https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ

@hamishwillee
Copy link
Collaborator

@noamr Thanks. I also found your comment here useful https://bugzilla.mozilla.org/show_bug.cgi?id=1788167 as that seems to summarize where browsers/servers should end up.

@noamr
Copy link
Contributor Author

noamr commented Jun 19, 2023

@noamr Thanks. I also found your comment here useful https://bugzilla.mozilla.org/show_bug.cgi?id=1788167 as that seems to summarize where browsers/servers should end up.

Yes, though "When consuming prefetch, Vary: Accept should be ignored" is unnecessary if the accept header is the same as navigation. That's what we ended up doing in chrome and WPT (Send the same accept header as nav, but don't treat it in a special way when invalidating cache)

@hamishwillee hamishwillee mentioned this issue Jun 19, 2023
Closed
10 tasks
@hamishwillee
Copy link
Collaborator

hamishwillee commented Jun 20, 2023
edited
Loading

@noamr Can you confirm my understanding of the CORS-mode behaviour - specifically what does this mean?:

CSP: uses "least restrictive directive" rather than prefetch-src

Looking at the spec https://w3c.github.io/webappsec-csp/#does-request-violate-policy ...

Given a request request and a policy policy, this algorithm returns the default directive if the resource-hint request violates all the policies, and "Does Not Violate" otherwise.

So in other words you run the test against all the policies and only fail if all of them fail. Is that right?

Further, that means if default-src is not specified (everything is allowed) you will succeed. And if default-src is permissive, the fact that others are not does not matter.

And presumably same-site requests just work?

@hamishwillee hamishwillee removed the help wanted If you know something about this topic, we would love your help! label Jun 20, 2023
@hamishwillee
Copy link
Collaborator

hamishwillee commented Jun 20, 2023
edited
Loading

Also,

  1. This test indicates that "Prefetch should include Sec-Purpose=prefetch and Sec-Fetch-Dest=empty headers"

  2. So does as in a link map to the destination the value set by Sec-Fetch-Dest? So the above means that irrespective of the data type you'd just not specify the destination.

  3. But then in this test we have:

    • same origin document prefetch without 'as' should be consumed
    • same-site different-origin document prefetch without 'as' should be consumed
    • different-site document prefetch without 'as' should not be consumed
    • different-site document prefetch with 'as=document' should not be consumed

    This confuses me if the Sec-Fetch-Dest passes the data from link as and that must be empty. It seems to indicate that that same site prefetch of a document doesn't need as (always succeeds), but cross-site document prefetches of documents do not.

I'm probably asking a stupid question here sorry, but what are the rules for "as", and are there special rules for document/cross-site and so on.

@noamr
Copy link
Contributor Author

noamr commented Jun 20, 2023

@noamr Can you confirm my understanding of the CORS-mode behaviour - specifically what does this mean?:

CSP: uses "least restrictive directive" rather than prefetch-src

Looking at the spec https://w3c.github.io/webappsec-csp/#does-request-violate-policy ...

Given a request request and a policy policy, this algorithm returns the default directive if the resource-hint request violates all the policies, and "Does Not Violate" otherwise.

So in other words you run the test against all the policies and only fail if all of them fail. Is that right?

Yes. The idea is that your prefetch could be any type of resource. So if any type of resource is allowed to be fetched from this URL, you can also prefetch this URL.

Further, that means if default-src is not specified (everything is allowed) you will succeed. And if default-src is permissive, the fact that others are not does not matter.

Correct.

And presumably same-site requests just work?

No, you can also prevent same-site in CSP.

@noamr
Copy link
Contributor Author

noamr commented Jun 20, 2023

Also,

  1. This test indicates that "Prefetch should include Sec-Purpose=prefetch and Sec-Fetch-Dest=empty headers"
  2. So does as in a link map to the destination the value set by Sec-Fetch-Dest? So the above means that irrespective of the data type you'd just not specify the destination.

It does in <link rel=preload>. There is no as in prefetch.

  1. But then in this test we have:

    • same origin document prefetch without 'as' should be consumed
    • same-site different-origin document prefetch without 'as' should be consumed
    • different-site document prefetch without 'as' should not be consumed
    • different-site document prefetch with 'as=document' should not be consumed

    This confuses me if the Sec-Fetch-Dest passes the data from link as and that must be empty. It seems to indicate that that same site prefetch doesn't need as, but cross-site document prefetches do.

I'm probably asking a stupid question here sorry, but what are the rules for "as", and are there special rules for document/cross-site and so on.

The as=document is some non-standard thing in chromium that we will remove in the future. These tests show the desired results: that as=document doesn't do anything special. they currently fail on chromium because of the special behavior.

@hamishwillee hamishwillee mentioned this issue Jun 27, 2023
Merged
@Josh-Cena
Copy link
Member

@noamr Do you think this could be closed by #27589?

@Josh-Cena Josh-Cena removed the waiting for implementations Waiting for feature to be implemented in browsers label Jul 4, 2023
@noamr
Copy link
Contributor Author

noamr commented Jul 4, 2023

@noamr Do you think this could be closed by #27589?

Yes!

@noamr noamr closed this as completed Jul 4, 2023
@Josh-Cena
Copy link
Member

Wow, thanks for the prompt response 😄

@hamishwillee
Copy link
Collaborator

@noamr ... and thanks for all your support on getting the fixes in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Content:Glossary Glossary entries
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@noamr @sideshowbarker @hamishwillee @Josh-Cena