From ddaaef92e60cb0a5fe743c4c2666ed14dd6850db Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Sun, 19 Mar 2023 09:09:59 +0200 Subject: [PATCH 01/10] Define preconnect and dns-prefetch with CSP See whatwg/html#9035 --- fetch.bs | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 7dc74cf3c..ca8637f01 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3027,6 +3027,78 @@ details of reused connections are not exposed and time values are coarsened. +

Preemptive connection operations

+ +
+

To preemptively obtain a connection, given an +environment settings object environment, a URL url, and a +boolean credentials, run these steps: + +

    +

  1. Let key be the result of determining the network partition key given + environment. + +

  2. +

    Check CSP for preemptive operation with environment and url. If + that returns allowed, Obtain a connection with key, url and + credentials. + +

    This connection is obtained but not used directly. It will remain in the + connection pool for subsequent use. + +

    The user agent should attempt to initiate a preconnect and perform the full + connection handshake (DNS+TCP for HTTP, and DNS+TCP+TLS for HTTPS origins) whenever possible, but + is allowed to elect to perform a partial handshake (DNS only for HTTP, and DNS or DNS+TCP for + HTTPS origins), or skip it entirely, due to resource constraints or other reasons.

    + +

    The optimal number of connections per origin is dependent on the negotiated + protocol, users current connectivity profile, available device resources, global connection + limits, and other context specific variables. As a result, the decision for how many connections + should be opened is deferred to the user agent.

    +
+
+ +
+

To preemptively resolve an origin, given an +environment settings object environment and a URL url, run +these steps: + +

    +

  1. Let key be the result of determining the network partition key given + environment. + +

  2. Check CSP for preemptive operation with environment and url. If + that returns blocked, return. + +

  3. Let proxies be the result of finding proxies for url in an + implementation-defined manner. + +

  4. +

    If there proxies is empty, or if proxies + contains "DIRECT", then resolve an origin given key + and url's origin. + +

    As the results of this algorithm can be cached, future fetches could be faster. +

+
+ +
+

To Check CSP for preemptive operation, given an +environment settings object environment, and a URL url, +run these steps: + +

    +

  1. Let request be a request whose URL is + url, initiator is "prefetch", and whose + client is environment. + +

  2. Return the result of running should request be blocked by Content Security Policy? + given request. + +

+
+ +

Network partition keys

A network partition key is a tuple consisting of a site and null or @@ -8720,7 +8792,7 @@ to discuss. [[CSP]] environment settings object you're operating in. Web-exposed APIs are generally defined with Web IDL, for which every object that implements an interface has a relevant settings object you can use. For example, a request associated with an -element would set the request's client to the element's +{{Element}} would set the request's client to the element's node document's relevant settings object. All features that are directly web-exposed by JavaScript, HTML, CSS, or other {{Document}} subresources should have a client. From daab9c10e0d4279d676f77c096b68c475b6d01f3 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Mon, 20 Mar 2023 20:12:33 +0200 Subject: [PATCH 02/10] Update fetch.bs Co-authored-by: Valentin Gosu <1454649+valenting@users.noreply.github.com> --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index ca8637f01..c2fcbdd86 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3074,7 +3074,7 @@ these steps: implementation-defined manner.

  • -

    If there proxies is empty, or if proxies +

    If proxies is empty, or if proxies contains "DIRECT", then resolve an origin given key and url's origin. From 2e4bae6a84c6e0acdb425529f394f6153c60bfd7 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Mon, 24 Apr 2023 11:07:35 +0300 Subject: [PATCH 03/10] Update fetch.bs Co-authored-by: Anne van Kesteren --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index c2fcbdd86..3742d9d0e 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3040,7 +3040,7 @@ boolean credentials, run these steps:

  • Check CSP for preemptive operation with environment and url. If - that returns allowed, Obtain a connection with key, url and + that returns allowed, obtain a connection with key, url and credentials.

    This connection is obtained but not used directly. It will remain in the From 7e6e995343906a20f510e1b0287e1ecf65cc3784 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Mon, 24 Apr 2023 11:07:58 +0300 Subject: [PATCH 04/10] Update fetch.bs Co-authored-by: Anne van Kesteren --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 3742d9d0e..e196e9e0b 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3083,7 +3083,7 @@ these steps:

    -

    To Check CSP for preemptive operation, given an +

    To check CSP for preemptive operation, given an environment settings object environment, and a URL url, run these steps: From ef41a25eaf44ce15543e8cbf6a68d040734f596f Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Mon, 24 Apr 2023 11:15:10 +0300 Subject: [PATCH 05/10] PR nits --- fetch.bs | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/fetch.bs b/fetch.bs index e196e9e0b..5a99423b2 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2850,16 +2850,7 @@ steps: connection. -

  • -

    Let proxies be the result of finding proxies for url in an - implementation-defined manner. If there are no proxies, let proxies be - « "DIRECT" ». - -

    This is where non-standard technology such as - Web Proxy Auto-Discovery Protocol (WPAD) - and proxy auto-config (PAC) come - into play. The "DIRECT" value means to not use a proxy for this particular - url. +

  • Let proxies of calling resolve proxies.

  • Let timingInfo be a new connection timing info. @@ -2916,6 +2907,19 @@ reused across connections whose credentials are fal

    +
    +

    To resolve proxies, return the result of finding proxies for url in an +implementation-defined manner. If there are no proxies, return « "DIRECT" ». + +

    This is where non-standard technology such as +Web Proxy Auto-Discovery Protocol (WPAD) +and proxy auto-config (PAC) come +into play. The "DIRECT" value means to not use a proxy for this particular +url. +

    + +
    +

    To create a connection, given a network partition key key, origin origin, boolean credentials, string proxy, @@ -3027,7 +3031,7 @@ details of reused connections are not exposed and time values are coarsened.

    -

    Preemptive connection operations

    +

    Preemptive connections

    To preemptively obtain a connection, given an @@ -3070,13 +3074,11 @@ these steps:

  • Check CSP for preemptive operation with environment and url. If that returns blocked, return. -

  • Let proxies be the result of finding proxies for url in an - implementation-defined manner. +

  • Let proxies be the result of calling resolve proxies.

  • -

    If proxies is empty, or if proxies - contains "DIRECT", then resolve an origin given key - and url's origin. +

    If proxies contains "DIRECT", then + resolve an origin given key and url's origin.

    As the results of this algorithm can be cached, future fetches could be faster. @@ -3094,7 +3096,6 @@ run these steps:

  • Return the result of running should request be blocked by Content Security Policy? given request. - @@ -8792,7 +8793,7 @@ to discuss. [[CSP]] environment settings object you're operating in. Web-exposed APIs are generally defined with Web IDL, for which every object that implements an interface has a relevant settings object you can use. For example, a request associated with an -{{Element}} would set the request's client to the element's +element would set the request's client to the element's node document's relevant settings object. All features that are directly web-exposed by JavaScript, HTML, CSS, or other {{Document}} subresources should have a client. From a85fdaa11f0e3f1b0ca6cf28a29e5a4f96f5b178 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Mon, 24 Apr 2023 13:11:16 +0300 Subject: [PATCH 06/10] should --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 5a99423b2..4cf8dd65c 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3050,7 +3050,7 @@ boolean credentials, run these steps:

    This connection is obtained but not used directly. It will remain in the connection pool for subsequent use. -

    The user agent should attempt to initiate a preconnect and perform the full +

    The user agent can attempt to initiate a preconnect and perform the full connection handshake (DNS+TCP for HTTP, and DNS+TCP+TLS for HTTPS origins) whenever possible, but is allowed to elect to perform a partial handshake (DNS only for HTTP, and DNS or DNS+TCP for HTTPS origins), or skip it entirely, due to resource constraints or other reasons.

    From c267d4e902902b6db875b0865949c1be1c3633f5 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Sun, 7 May 2023 13:09:14 +0300 Subject: [PATCH 07/10] A few editorial nits --- fetch.bs | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/fetch.bs b/fetch.bs index 4cf8dd65c..a9e1ab1b1 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2850,7 +2850,7 @@ steps: connection. -

  • Let proxies of calling resolve proxies. +

  • Let proxies of calling resolve proxies given url.

  • Let timingInfo be a new connection timing info. @@ -2908,8 +2908,9 @@ reused across connections whose credentials are fal

    -

    To resolve proxies, return the result of finding proxies for url in an -implementation-defined manner. If there are no proxies, return « "DIRECT" ». +

    To resolve proxies given a URL url, return the result of +finding proxies for url in an implementation-defined manner. If there are no +proxies, return « "DIRECT" ».

    This is where non-standard technology such as Web Proxy Auto-Discovery Protocol (WPAD) @@ -3033,7 +3034,7 @@ details of reused connections are not exposed and time values are coarsened.

    Preemptive connections

    -
    +

    To preemptively obtain a connection, given an environment settings object environment, a URL url, and a boolean credentials, run these steps: @@ -3043,9 +3044,9 @@ boolean credentials, run these steps: environment.

  • -

    Check CSP for preemptive operation with environment and url. If - that returns allowed, obtain a connection with key, url and - credentials. +

    Run Should connection be allowed by Content Security Policy? with + environment and url. If that returns allowed, + obtain a connection with key, url, and credentials.

    This connection is obtained but not used directly. It will remain in the connection pool for subsequent use. @@ -3062,7 +3063,7 @@ boolean credentials, run these steps: -

    +

    To preemptively resolve an origin, given an environment settings object environment and a URL url, run these steps: @@ -3071,8 +3072,8 @@ these steps:

  • Let key be the result of determining the network partition key given environment. -

  • Check CSP for preemptive operation with environment and url. If - that returns blocked, return. +

  • Run

    Should connection be allowed by Content Security Policy? with + environment and url. If that returns blocked, return.

  • Let proxies be the result of calling resolve proxies. @@ -3085,7 +3086,7 @@ these steps:

    -

    To check CSP for preemptive operation, given an +

    To Should connection be allowed by Content Security Policy?, given an environment settings object environment, and a URL url, run these steps: From f64322aad71d4c6235ff5e4ebae77fecbc80209c Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Mon, 8 May 2023 14:12:36 +0300 Subject: [PATCH 08/10] Use boolean for algo --- fetch.bs | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/fetch.bs b/fetch.bs index a9e1ab1b1..496c67b04 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2850,7 +2850,7 @@ steps: connection. -

  • Let proxies of calling resolve proxies given url. +

  • Let proxies be the result of calling resolve proxies given url.

  • Let timingInfo be a new connection timing info. @@ -3044,8 +3044,8 @@ boolean credentials, run these steps: environment.

  • -

    Run Should connection be allowed by Content Security Policy? with - environment and url. If that returns allowed, +

    Run determine if Content Security Policy allows connection with + environment and url. If that returns true, obtain a connection with key, url, and credentials.

    This connection is obtained but not used directly. It will remain in the @@ -3063,7 +3063,7 @@ boolean credentials, run these steps: -

    +

    To preemptively resolve an origin, given an environment settings object environment and a URL url, run these steps: @@ -3072,8 +3072,8 @@ these steps:

  • Let key be the result of determining the network partition key given environment. -

  • Run

    Should connection be allowed by Content Security Policy? with - environment and url. If that returns blocked, return. +

  • Run

    determine if Content Security Policy allows connection with + environment and url. If that returns false, return.

  • Let proxies be the result of calling resolve proxies. @@ -3085,18 +3085,19 @@ these steps: -

    -

    To Should connection be allowed by Content Security Policy?, given an -environment settings object environment, and a URL url, -run these steps: +

    +

    To determine if Content Security Policy allows connection, given an +environment settings object environment, and a URL url:

    1. Let request be a request whose URL is url, initiator is "prefetch", and whose client is environment. -

    2. Return the result of running should request be blocked by Content Security Policy? - given request. +

    3. Let result be the result of running + should request be blocked by Content Security Policy? given request. + +

    4. Return true if result is allowed, otherwise false.

    From b5bc78b924b0d8d4060ebeadcffd718bb3c79acf Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 28 Sep 2023 14:57:31 +0300 Subject: [PATCH 09/10] Update fetch.bs Co-authored-by: Anne van Kesteren --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 496c67b04..9926dec30 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3073,7 +3073,7 @@ these steps: environment.
  • Run

    determine if Content Security Policy allows connection with - environment and url. If that returns false, return. + environment and url. If that returns false, then return.

  • Let proxies be the result of calling resolve proxies. From fa560ebb79b37b93b7fd4b218144a88cc17c3d1b Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 28 Sep 2023 14:57:39 +0300 Subject: [PATCH 10/10] Update fetch.bs Co-authored-by: Anne van Kesteren --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 9926dec30..0e199a8d7 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3097,7 +3097,7 @@ these steps:

  • Let result be the result of running should request be blocked by Content Security Policy? given request. -

  • Return true if result is allowed, otherwise false. +

  • Return true if result is allowed; otherwise false.