Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow control over `dns-prefetch` and `preconnect` #282

Open
annevk opened this issue Jan 11, 2018 · 4 comments
Open

Allow control over `dns-prefetch` and `preconnect` #282

annevk opened this issue Jan 11, 2018 · 4 comments
Milestone

Comments

@annevk
Copy link
Member

@annevk annevk commented Jan 11, 2018

Raising this separately from #107 as that is mostly focused on the other types (which go through Fetch).

See @samuelhorwitz's comment at whatwg/fetch#658 (comment).

If we do this it might make CSP a natural place to also define the X-DNS-Prefetch-Control header (see w3c/resource-hints#75); again, in cooperation with HTML most likely.

@mikewest mikewest changed the title Block dns-prefetch Allow control over `dns-prefetch` and `preconnect` Jan 12, 2018
@mikewest

This comment has been minimized.

Copy link
Member

@mikewest mikewest commented Jan 12, 2018

Talked with @yoavweiss about this today. I think what we agreed on was something like the following:

  1. Add something to CSP that answers the question "Would a request to |url| be allowed by fetch directives?". That algorithm would walk through all the fetch directives specified in the each active policies, and return true if a request to |url| would be allowed by any of them. e.g. default-src https://site.example; img-src https://images.cdn would return true for https://site.example and https://images.cdn.

  2. Hook into this algorithm from Fetch's Obtain a connection (which I'm going to charitably assume is part of the preconnect flow).

  3. Figure out some way of establishing this algorithm's control over dns-prefetch.

  4. Call it a day.

WDYT?

@mikewest

This comment has been minimized.

Copy link
Member

@mikewest mikewest commented Jan 12, 2018

@annevk

This comment has been minimized.

Copy link
Member Author

@annevk annevk commented Jan 12, 2018

Sounds good to me. (The only thing that's still unclear to me is how WebRTC's algorithms tie into all this, but I guess we'll track that as part of #92.)

@mikewest

This comment has been minimized.

Copy link
Member

@mikewest mikewest commented Jan 12, 2018

Sounds good to me. (The only thing that's still unclear to me is how WebRTC's algorithms tie into all this, but I guess we'll track that as part of #92.)

Short answer: connect-src seems reasonable. Long answer: I'll go look at that bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.