Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Speculation Rules security and privacy considerations, and refactor into two bikeshed files #78

Merged
merged 6 commits into from
Sep 14, 2021
Merged

Add Speculation Rules security and privacy considerations, and refactor into two bikeshed files #78

merged 6 commits into from
Sep 14, 2021

Conversation

jeremyroman
Copy link
Collaborator

This change:

  • adds security and privacy considerations related to speculation rules
  • so that this doesn't get mixed in, index.bs is moved to prerendering.bs, which is unmodified except for making the speculation rules section just an outbound link
  • speculation-rules.bs has a new abstract and security and privacy considerations, but is otherwise copied from index.bs
  • the Makefile is modified to support this
  • a basic index.html is created to bounce people to one of the two output files

@jeremyroman jeremyroman requested a review from domenic September 3, 2021 21:25
@jeremyroman jeremyroman changed the title Split and sr sp considerations Add Speculation Rules security and privacy considerations, and refactor into two bikeshed files Sep 3, 2021
@domenic
Copy link
Collaborator

domenic commented Sep 3, 2021

The split looks solid. I'll try to review the S&P additions on Tuesday.

I guess we should delete .pr-preview.json since it doesn't seem to support this use case?

@jeremyroman
Copy link
Collaborator Author

That's unfortunate. I guess we could still mark one of the files as supporting it, but ideally tobie/pr-preview#18 would be fixed. :)

@domenic domenic mentioned this pull request Sep 7, 2021
Merged
domenic
domenic approved these changes Sep 7, 2021
View reviewed changes
speculation-rules.bs

Since existing [=credentials=] for the destination origin are not sent (assuming it is not [=same origin=] with the referrer), that site is limited in its ability to identify the user before navigation in a similar way to if the referrer site had simply used [[FETCH]] to make an uncredentialed request. Upon navigation, this becomes similar to ordinary navigation (e.g., by clicking a link that was not prefetched).

To the extent that user agents attempt to mitigate identity joining for ordinary fetches and navigations, they can apply similar mitigations to prefetched navigations.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @jyasskin might have a document you could link to on this subject.

@jeremyroman jeremyroman merged commit 6dabd8e into main Sep 14, 2021
@jeremyroman jeremyroman deleted the split-and-sr-sp-considerations branch September 14, 2021 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domenic domenic domenic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeremyroman @domenic