deploy: 9595024

no-vary-search.html

@@ -749,7 +749,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2021/logos/W3C" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">No-Vary-Search</h1>
-   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-09-06">6 September 2024</time></p>
+   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-10-06">6 October 2024</time></p>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:

prefetch.html

@@ -610,7 +610,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2021/logos/W3C" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">Prefetch</h1>
-   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-09-06">6 September 2024</time></p>
+   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-10-06">6 October 2024</time></p>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:

prerendering.html

@@ -773,7 +773,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2021/logos/W3C" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">Prerendering Revamped</h1>
-   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-09-06">6 September 2024</time></p>
+   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-10-06">6 October 2024</time></p>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:

speculation-rules.html

@@ -641,7 +641,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2021/logos/W3C" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">Speculation Rules</h1>
-   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-09-06">6 September 2024</time></p>
+   <p id="w3c-state"><a href="https://www.w3.org/standards/types#CG-DRAFT">Draft Community Group Report</a>, <time class="dt-updated" datetime="2024-10-06">6 October 2024</time></p>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -1757,18 +1757,19 @@ <h3 class="heading settled" data-level="2.6" id="content-security-policy-patches
      </p>
    </ol>
    <h3 class="heading settled" data-level="2.7" id="content-security-policy-patches-effective-directive"><span class="secno">2.7. </span><span class="content">Get the effective directive for request</span><a class="self-link" href="#content-security-policy-patches-effective-directive"></a></h3>
-   <p>The switch needs one additional case. At present, requests can only be issued in the case of the <span>`<code><a data-link-type="http-header" href="#http-headerdef-speculation-rules" id="ref-for-http-headerdef-speculation-rules②">Speculation-Rules</a></code>`</span> header, so <code>script-src-elem</code> is too specific and only <code>script-src</code> (or its fallback, <code>default-src</code>) applies.</p>
+   <p>In <a href="https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request"><cite>Content Security Policy 3</cite> § 6.8.1 Get the effective directive for request</a>, the switch on the request <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①">destination</a> needs one additional case.</p>
+   <p class="note" role="note">At present, requests can only be issued in the case of the <span>`<code><a data-link-type="http-header" href="#http-headerdef-speculation-rules" id="ref-for-http-headerdef-speculation-rules②">Speculation-Rules</a></code>`</span> header, so CSP does not apply. If support is added for loading external rule sets via <code>&lt;script src></code>, for which CSP would apply, then the CSP directive selection will need to distinguish this case, such as by the introduction of a new request <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator" id="ref-for-concept-request-initiator">initiator</a>.</p>
    <dl>
     <dt data-md>"<code>speculationrules</code>"
     <dd data-md>
      <ol>
       <li data-md>
-       <p>Return <code>script-src</code>.</p>
+       <p>Return null.</p>
      </ol>
    </dl>
    <h2 class="heading settled" data-level="3" id="fetch"><span class="secno">3. </span><span class="content">Fetch</span><a class="self-link" href="#fetch"></a></h2>
    <h3 class="heading settled" data-level="3.1" id="fetch-destination"><span class="secno">3.1. </span><span class="content">Destination</span><a class="self-link" href="#fetch-destination"></a></h3>
-   <p>The string "<code>speculationrules</code>" is added to the list of valid <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①">destinations</a> and also to the list of enumerators in <code class="idl"><a data-link-type="idl" href="https://fetch.spec.whatwg.org/#requestdestination" id="ref-for-requestdestination">RequestDestination</a></code>.</p>
+   <p>The string "<code>speculationrules</code>" is added to the list of valid <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②">destinations</a> and also to the list of enumerators in <code class="idl"><a data-link-type="idl" href="https://fetch.spec.whatwg.org/#requestdestination" id="ref-for-requestdestination">RequestDestination</a></code>.</p>
    <h2 class="heading settled" data-level="4" id="security-considerations"><span class="secno">4. </span><span class="content">Security considerations</span><a class="self-link" href="#security-considerations"></a></h2>
    <h3 class="heading settled" data-level="4.1" id="security-csrf"><span class="secno">4.1. </span><span class="content">Cross-site request forgery</span><a class="self-link" href="#security-csrf"></a></h3>
    <p>This specification allows documents to cause HTTP requests to be issued.</p>
@@ -1791,7 +1792,7 @@ <h3 class="heading settled" data-level="4.2" id="security-xss"><span class="secn
    <p>Such an attacker is otherwise able to inject JavaScript, frames or other elements. The activity possible with this specification (requesting fetches etc) is generally less dangerous than arbitrary script execution, and comparable to other elements. It would, however, make it possible to cause prefetches of links in the document, and the existence of those prefetches could provide a vector for exfiltrating information about those links.</p>
    <p>The same mitigations available to other features also apply here. In particular, the <a data-link-type="biblio" href="#biblio-csp" title="Content Security Policy Level 3">[CSP]</a> <code>script-src</code> directive applies to the parsing of the speculation rules and the <code>default-src</code> directive applies to prefetch requests arising from the rules.</p>
    <p>The possibility of leaking link URLs via this mechanism is additionally mitigated by the fact that prefetch and prerender to plaintext HTTP (other than to localhost) is not permitted, and so such an on-path attacker could not directly observe preloading request URLs, but would only have access to metadata and traffic analysis. This does not, however, replace standard XSS protections.</p>
-   <p>It’s generally not expected that user-generated content will be added as arbitrary response headers; server operators are already going to encounter significant trouble if this is possible. It is therefore unlikely that the <span>`<code><a data-link-type="http-header" href="#http-headerdef-speculation-rules" id="ref-for-http-headerdef-speculation-rules④">Speculation-Rules</a></code>`</span> header meaningfully expands the XSS attack surface. Nonetheless, the <a data-link-type="biblio" href="#biblio-csp" title="Content Security Policy Level 3">[CSP]</a> <code>script-src</code> directive applies in this case as well.</p>
+   <p>It’s generally not expected that user-generated content will be added as arbitrary response headers; server operators are already going to encounter significant trouble if this is possible. It is therefore unlikely that the <span>`<code><a data-link-type="http-header" href="#http-headerdef-speculation-rules" id="ref-for-http-headerdef-speculation-rules④">Speculation-Rules</a></code>`</span> header meaningfully expands the XSS attack surface. Therefore, <a data-link-type="biblio" href="#biblio-csp" title="Content Security Policy Level 3">[CSP]</a> does not apply to the loading of rule sets via the header.</p>
    <h3 class="heading settled" data-level="4.3" id="type-confusion"><span class="secno">4.3. </span><span class="content">Type confusion</span><a class="self-link" href="#type-confusion"></a></h3>
    <p>In the case of speculation rules in an inline <code>&lt;script></code>, an application which erroneously parsed speculation rules as a JavaScript script (though user agents are instructed not to execute scripts who "<code>type</code>" is unrecognized) would either interpret it as the empty block <code>{}</code> or produce a syntax error, since the U+003A COLON (<code>:</code>) after the first key is invalid JavaScript. In neither case would such an application execute harmful behavior.</p>
    <p>Since the parsing behavior of the <code>&lt;script></code> element has long been part of HTML, any modern HTML parser would not construct any non-text children of the element. There is thus a low risk of other text hidden inside a <code>&lt;script></code> element with <code>type="speculationrules"</code> which is parsed as part of the script content by compliant HTML implementations but as HTML tags by others.</p>
@@ -2009,6 +2010,7 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
      <li><span class="dfn-paneled" id="5c66de35">get a structured field value</span>
      <li><span class="dfn-paneled" id="f7b00a8b">header list</span>
      <li><span class="dfn-paneled" id="eb62573b">http(s) scheme</span>
+     <li><span class="dfn-paneled" id="fa4ea124">initiator</span>
      <li><span class="dfn-paneled" id="cb98f71f">mode</span>
      <li><span class="dfn-paneled" id="a27468c5">ok status</span>
      <li><span class="dfn-paneled" id="08b51e40">processresponseconsumebody</span>
@@ -2459,7 +2461,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
 "36a75887": {"dfnID":"36a75887","dfnText":"extracting a mime type","external":true,"refSections":[{"refs":[{"id":"ref-for-concept-header-extract-mime-type"}],"title":"1.5. External speculation rule sets"}],"url":"https://fetch.spec.whatwg.org/#concept-header-extract-mime-type"},
 "37d0f4ab": {"dfnID":"37d0f4ab","dfnText":"html element removing steps","external":true,"refSections":[{"refs":[{"id":"ref-for-html-element-removing-steps"}],"title":"1.2. The script element"}],"url":"https://html.spec.whatwg.org/multipage/infrastructure.html#html-element-removing-steps"},
 "3a711be7": {"dfnID":"3a711be7","dfnText":"scheme","external":true,"refSections":[{"refs":[{"id":"ref-for-concept-url-scheme"}],"title":"1.6. Parsing"},{"refs":[{"id":"ref-for-concept-url-scheme\u2460"}],"title":"1.7. Processing model"}],"url":"https://url.spec.whatwg.org/#concept-url-scheme"},
-"3ae34c95": {"dfnID":"3ae34c95","dfnText":"destination","external":true,"refSections":[{"refs":[{"id":"ref-for-concept-request-destination"}],"title":"1.5. External speculation rule sets"},{"refs":[{"id":"ref-for-concept-request-destination\u2460"}],"title":"3.1. Destination"}],"url":"https://fetch.spec.whatwg.org/#concept-request-destination"},
+"3ae34c95": {"dfnID":"3ae34c95","dfnText":"destination","external":true,"refSections":[{"refs":[{"id":"ref-for-concept-request-destination"}],"title":"1.5. External speculation rule sets"},{"refs":[{"id":"ref-for-concept-request-destination\u2460"}],"title":"2.7. Get the effective directive for request"},{"refs":[{"id":"ref-for-concept-request-destination\u2461"}],"title":"3.1. Destination"}],"url":"https://fetch.spec.whatwg.org/#concept-request-destination"},
 "3d877348": {"dfnID":"3d877348","dfnText":"should fetching request be blocked as mixed content?","external":true,"refSections":[{"refs":[{"id":"ref-for-should-block-fetch"}],"title":"4.5. Mixed content"}],"url":"https://w3c.github.io/webappsec-mixed-content/#should-block-fetch"},
 "3de9e659": {"dfnID":"3de9e659","dfnText":"byte sequence","external":true,"refSections":[{"refs":[{"id":"ref-for-byte-sequence"}],"title":"1.5. External speculation rule sets"}],"url":"https://infra.spec.whatwg.org/#byte-sequence"},
 "3fca5a9e": {"dfnID":"3fca5a9e","dfnText":"map","external":true,"refSections":[{"refs":[{"id":"ref-for-ordered-map"},{"id":"ref-for-ordered-map\u2460"},{"id":"ref-for-ordered-map\u2461"},{"id":"ref-for-ordered-map\u2462"},{"id":"ref-for-ordered-map\u2463"}],"title":"1.6. Parsing"}],"url":"https://infra.spec.whatwg.org/#ordered-map"},
@@ -2584,6 +2586,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
 "f8434dee": {"dfnID":"f8434dee","dfnText":"being rendered","external":true,"refSections":[{"refs":[{"id":"ref-for-being-rendered"}],"title":"1.7. Processing model"}],"url":"https://html.spec.whatwg.org/multipage/rendering.html#being-rendered"},
 "f937b7b6": {"dfnID":"f937b7b6","dfnText":"continue","external":true,"refSections":[{"refs":[{"id":"ref-for-iteration-continue"},{"id":"ref-for-iteration-continue\u2460"}],"title":"1.4. The `Speculation-Rules` header"},{"refs":[{"id":"ref-for-iteration-continue\u2461"},{"id":"ref-for-iteration-continue\u2462"}],"title":"1.5. External speculation rule sets"},{"refs":[{"id":"ref-for-iteration-continue\u2463"},{"id":"ref-for-iteration-continue\u2464"},{"id":"ref-for-iteration-continue\u2465"},{"id":"ref-for-iteration-continue\u2466"},{"id":"ref-for-iteration-continue\u2467"},{"id":"ref-for-iteration-continue\u2468"},{"id":"ref-for-iteration-continue\u2460\u24ea"}],"title":"1.6. Parsing"},{"refs":[{"id":"ref-for-iteration-continue\u2460\u2460"},{"id":"ref-for-iteration-continue\u2460\u2461"},{"id":"ref-for-iteration-continue\u2460\u2462"},{"id":"ref-for-iteration-continue\u2460\u2463"}],"title":"1.7. Processing model"}],"url":"https://infra.spec.whatwg.org/#iteration-continue"},
 "f9933a9c": {"dfnID":"f9933a9c","dfnText":"build a url pattern from an infra value","external":true,"refSections":[{"refs":[{"id":"ref-for-build-a-url-pattern-from-an-infra-value"}],"title":"1.6. Parsing"}],"url":"https://urlpattern.spec.whatwg.org/#build-a-url-pattern-from-an-infra-value"},
+"fa4ea124": {"dfnID":"fa4ea124","dfnText":"initiator","external":true,"refSections":[{"refs":[{"id":"ref-for-concept-request-initiator"}],"title":"2.7. Get the effective directive for request"}],"url":"https://fetch.spec.whatwg.org/#concept-request-initiator"},
 "fba1e812": {"dfnID":"fba1e812","dfnText":"prefetch record","external":true,"refSections":[{"refs":[{"id":"ref-for-prefetch-record"},{"id":"ref-for-prefetch-record\u2460"}],"title":"1.7. Processing model"}],"url":"prefetch.html#prefetch-record"},
 "fd32e3c9": {"dfnID":"fd32e3c9","dfnText":"shadow-including descendant","external":true,"refSections":[{"refs":[{"id":"ref-for-concept-shadow-including-descendant"}],"title":"1.7. Processing model"}],"url":"https://dom.spec.whatwg.org/#concept-shadow-including-descendant"},
 "fd3baafe": {"dfnID":"fd3baafe","dfnText":"matches a url","external":true,"refSections":[{"refs":[{"id":"ref-for-prefetch-record-matches-a-url"}],"title":"1.7. Processing model"}],"url":"prefetch.html#prefetch-record-matches-a-url"},
@@ -3114,6 +3117,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
 "https://fetch.spec.whatwg.org/#concept-request-client": {"export":true,"for_":["request"],"level":"1","normative":true,"shortname":"fetch","spec":"fetch","status":"current","text":"client","type":"dfn","url":"https://fetch.spec.whatwg.org/#concept-request-client"},
 "https://fetch.spec.whatwg.org/#concept-request-credentials-mode": {"export":true,"for_":["request"],"level":"1","normative":true,"shortname":"fetch","spec":"fetch","status":"current","text":"credentials mode","type":"dfn","url":"https://fetch.spec.whatwg.org/#concept-request-credentials-mode"},
 "https://fetch.spec.whatwg.org/#concept-request-destination": {"export":true,"for_":["request"],"level":"1","normative":true,"shortname":"fetch","spec":"fetch","status":"current","text":"destination","type":"dfn","url":"https://fetch.spec.whatwg.org/#concept-request-destination"},
+"https://fetch.spec.whatwg.org/#concept-request-initiator": {"export":true,"for_":["request"],"level":"1","normative":true,"shortname":"fetch","spec":"fetch","status":"current","text":"initiator","type":"dfn","url":"https://fetch.spec.whatwg.org/#concept-request-initiator"},
 "https://fetch.spec.whatwg.org/#concept-request-mode": {"export":true,"for_":["request"],"level":"1","normative":true,"shortname":"fetch","spec":"fetch","status":"current","text":"mode","type":"dfn","url":"https://fetch.spec.whatwg.org/#concept-request-mode"},
 "https://fetch.spec.whatwg.org/#concept-request-url": {"export":true,"for_":["request"],"level":"1","normative":true,"shortname":"fetch","spec":"fetch","status":"current","text":"url","type":"dfn","url":"https://fetch.spec.whatwg.org/#concept-request-url"},
 "https://fetch.spec.whatwg.org/#concept-response": {"export":true,"for_":[],"level":"1","normative":true,"shortname":"fetch","spec":"fetch","status":"current","text":"response","type":"dfn","url":"https://fetch.spec.whatwg.org/#concept-response"},