Prevent speculatively loading links to the uploads, content, plugins, template, or stylesheet directories

[westonruter]

This was brought up by @AntonyXSI in #1157:

3. Excluding links that contain "." or file extensions i.e to prevent a user from downloading large PDFs or images potentially bottlenecking bandwidth. An example would be images being wrapped in a link to the original uncropped image. Hovering over images in a gallery for example could result in lots of large unoptimized images being downloaded unnecessarily in the background. As images will begin to render almost instantly prerendering images, pdfs etc may not be as beneficial as prerendering pages. I'm also not sure what happens if .exe,.pdf or other large files are prefetched that would normally be downloaded once clicked? Does Chrome drop the request or continue the download from the same prefetch request?

See Chrome's behavior for speculative loading of an image and a PDF: #1157 (comment).

In this PR, the uploads directory is excluded from speculative loading. The uploads directory path is added to the base href excludes.

Before	After

What if the uploads directory is pointing to a CDN instead? Well, it will be ignored anyway because the speculation rules are configured to only do same-origin speculative loads:

performance/plugins/speculation-rules/helper.php

Lines 83 to 91 in cb5a37e

	$rules = array(
	array(
	'source' => 'document',
	'where' => array(
	'and' => array(
	// Include any URLs within the same site.
	array(
	'href_matches' => $prefixer->prefix_path_pattern( '/*' ),
	),

So they will be excluded anyway. (The same goes for a site with a site customizing the site_url to point to another domain, cf. #1164). But what if someone wants to do cross-origin speculative loads? That could be made possible with #1156 where the href_matches is changed from /* to instead be *://*/*. Nevertheless, it seems Chrome does not currently support this:

Nevertheless, the above was specifically for prerendering. If I try instead with the mode set to prefetch, I get different results:

So it can work with prefetch in some situations.

We should keep that in mind for the future.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: westonruter <westonruter@git.wordpress.org>
Co-authored-by: tunetheweb <tunetheweb@git.wordpress.org>
Co-authored-by: adamsilverstein <adamsilverstein@git.wordpress.org>
Co-authored-by: felixarntz <flixos90@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[felixarntz]

@westonruter Would it make sense to instead prevent speculative loading of any links to something within wp-content? Uploads is probably most important, but I'm not sure we'd want to speculatively load anything bundled in a plugin or theme either, as it wouldn't be a regular WordPress URL.

[westonruter]

@felixarntz yeah, good point. That should be added as another entry specific to wp-content since the uploads directory can be configured to point somewhere else.

[westonruter]

For completeness, the following URLs should be excluded: WP_CONTENT_URL, WP_PLUGIN_URL, get_stylesheet_directory_uri(), and get_template_directory_uri(). All of these can be overridden from their defaults.

[adamsilverstein]

Nice work!

[tunetheweb]

LGTM