Process subresource link headers #1409
Conversation
|
Do we only test this for font resources currently? I saw https://github.com/web-platform-tests/wpt/blob/master/preload/link-header-on-subresource.html linked from the HTML PR. This would also mean that pretty much any request you make can result in further requests, including a simple Also, it seems this should be processed as part of the same task that will run "process response". I don't think we want to introduce another moment in time for this. |
I will add more, you are right.
I need to double check. I believe so.
OK |
|
I see, I raised this before in w3c/preload#148 but that got closed by whatwg/html#7622 which doesn't quite address this. (E.g., I think as defined a I'm rather concerned about a subresource fetch resulting in further fetches. That's simply not a side effect you'd expect when pulling a resource from elsewhere. @yoavweiss do you know where this feature got discussed before including the security implications, how this should relate to CSP, Referer headers, etc? cc @domenic |
I would expect a stylesheet I fetch to import other stylesheets and continue to do so recursively, same with scripts... I don't see what makes link headers different in that regard. |
|
Right, for style sheets and scripts the main concern I have is around fetching logic (do all the bits and in particular |
Though that's less specific to the recursive aspect, isn't it? An image with a link header would have a side-effect regardless of it being recursive. |
|
I've added tests. The current situation:
I'd love to be able to reach some consensus on how to proceed with this. |
@annevk - this was discussed at the time (~2015, IIRC), but no particular concerns were raised. (some concerns were raised later) With regards to why this is supported, I can see a clear use case for active content preloading depedent subresources (e.g. a script loading a dependent script it knows it'll need, or a CSS preloading a dependent BG image of font). I see less of a use case for passive content (e.g. images), so would be more open to disabling preloads there. |
I can see how this would be a security/privacy concern. Thinking of a document with no-cors images only and no CSP, images might generate link headers to CORS resources, causing unexpected fetches and perhaps exfiltration. |
annevk
added
security/privacy
|
@annevk - do you agree with my argument that this is fine for active resources (e.g. scripts, styles)? If so, that could be a path forward and I can see if there's implementation interest on the Chromium side to remove that support for passive resources. |
I can see how we would specify it as a map of which request destination can load which other request destinations. |
|
@yoavweiss I think it might be possible to make that split, yeah. See #1409 (comment) for the remaining issues. Perhaps that also argues for making the processing happen on the endpoints and not in Fetch directly? |
Yes, maybe fetch doesn't need to be involved at all. Will play around with doing this at the caller sites |
|
@annevk - good point in the comment above about setting the CSS resource as the |
|
So it's mainly the call sites for script/style. But I wonder about the call site at |
|
I don't think |
|
Yeah, |
I was thinking of scenarios where you fetch() the script before executing it, fetch a JSON file that's going to eventually have side-effects that would have you load other resources, have a binary response for WASM that's going to end up downloading more resources in the future etc. But I agree that starting with scripts & style is good (and having module scripts serve subresource |
|
To be clear, I think |
I'm not sure it's a layering violation but I also don't think it's a strong enough use case, so the end result is a consensus AFAIC :) |
| @@ -4272,6 +4273,11 @@ steps: | |||
| </ol> | |||
| </li> | |||
|
|
|||
| <li><p>If <var>request</var> is a <a>subresource request</a> and <var>request</var>'s | |||
| <a for=request>window</a> is an <a>environment settings object</a>, then | |||
| <a>queue a fetch task</a> to run <span>process subresource link headers</span> given | |||
There was a problem hiding this comment.
"process subresource link headers" is not defined anywhere. I see, it is in the HTML PR. Relatedly, span does not cause cross-linking in Bikeshed specs.
There was a problem hiding this comment.
I am going to do an overhaul of this PR, ignore for now.
There was a problem hiding this comment.
Any idea when this will be overhauled?
I'm planning to do a follow-up change: I'd like to pass to the "process subresource link headers" algorithm whether the initiator subresource is render-blocking or not, so that we can create a render-blocking chain. It will depend on how this PR proceeds, though.
There was a problem hiding this comment.
I will get to it once whatwg/html#7866 is in.
Also, I'm not sure how well tested the current support for blocking is in link headers, and I'm sure it's not spec'ed for early hints. I'm not sure if you wanted your follow up to include early hints, but if you do, first early hints have to support blocking. I would suggest to have the WPTs ready for those use-cases before we get to subresources.
There was a problem hiding this comment.
@xiaochengh do/can you have an open issue for the render-blocking chain?
I have some questions/doubts about it, it would save us time later if we could discuss them now :)
There was a problem hiding this comment.
I'll file an issue for render-blocking chain, and also see how it should work with early hints. Thanks for the note!
There was a problem hiding this comment.
I filed whatwg/html#7899
Regarding early hints: I think blocking should be ignored on early hints, because there's no document to block when early hints are processed. It suffices as long as the actual response makes the document block on the early-hint-preloaded resources.
|
Thinking about this again, I believe this should be done inside Also, we need to be careful not to allow preload semantics that styles are not capable of creating themselves - e.g. the |
|
Sigh. So that means I think it would actually be better if we had "fetch a style sheet" and "fetch a script" wrappers if we decided to go down that road. Offloading all the complexity into Fetch isn't great long term. |
|
Yeah, I am really surprised at the claims like
and
Why can't we make Link headers a generic fetch primitive? Why do they need these constraints? |
|
@domenic see above, all fetches acting on |
|
I don't think I really bought that argument, but even if we go that direction, I don't understand why it has to be so type-specific. Basically I would not expect the details of CSS to leak into |
I agree that you wouldn't expect that
Yes I can see that. Perhaps we could start by allowing this in |
|
To be clear, my proposal (not sure if it's helpful) is that rel=preload not have any restrictions. blocking="" always works, crossorigin="" can be any value, etc. If this allows you to create fetches you could not create with |
I see, I'm Ok with this. But are you proposing to also allow that for things that are not styles/scripts? |
My preference would be to allow it for all fetches, but I understand @annevk is against it, and I don't feel strongly. (Especially since it's always easier to start conservative.) So the question is which fetches allow it. I can think of a few options:
I'm not sure which option the various participants in this discussion want to go for. Or what is most useful. Or how that plays out in terms of spec layering. But maybe nailing that down is the next step? I guess you made an initial proposal at #1409 (comment) but I'm not sure if everyone got on board with that... apologies if they did and I'm just confusing matters. |
I can go with an option where if the destination of the request is |
|
Just a side note that this will be very useful for So I would love to see this getting landed soon. |
OK, so concretely, Fetch would contain this logic, which dispatches to HTML's "process link headers for subresources" which just assumes that if it's called it's allowed to do full That sounds pretty elegant to me. @annevk are you on board? |
|
|
Can the processing of these |
Right, they feel more like an HTML feature. I'll prepare an HTML patch to handle these at a few of the call sites. |
|
I want whatwg/html#7866 to go in first, and to start relying on the "pending document" concept where all link header processing has a "document promise" of sorts which it awaits at the moment where it really needs a document. Otherwise I need to keep special-casing early hints and it's getting a bit out of hand |
|
@noamr am I correct in assuming that this can now be closed? |
No. The spec still doesn't deal with subresource link headers while implementations do something with them. |
|
Closing for now, if someone wants to pursue spec'ing this feature it would probably require a new PR anyway. |
In conjunction with whatwg/html#7691
(see there for implementers/tests etc)
(See WHATWG Working Mode: Changes for more details.)
💥 Error: 500 Internal Server Error 💥
PR Preview failed to build. (Last tried on Mar 9, 2022, 3:32 PM UTC).
More
PR Preview relies on a number of web services to run. There seems to be an issue with the following one:
🚨 CSS Spec Preprocessor - CSS Spec Preprocessor is the web service used to build Bikeshed specs.
🔗 Related URL
If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.