Add an explainer for subresource signed exchanges

[horo-t]

I uploaded explainer documents of subresource signed exchanges to my
repository (https://github.com/horo-t/subresource-signed-exchange).
But they should be in this webpackage repository.
So this patch copies them from "horo-t/subresource-signed-exchange"
repository.

Spec issue: #347
TAG review: w3ctag/design-reviews#352

[jyasskin]

I didn't get to the Signed Exchange subresource substitution or fully review the security questionnaire for the rel=alternate explainer.

[jyasskin]

Suggested change

	We want to extend the usage of the existing [rel=alternate](https://html.spec.whatwg.org/multipage/links.html#rel-alternate) link header for signed exchange. Using this link header, the content publishers can declare that the resource is available in signed exchange format. This can be used both by the crawlers of aggregator sites (SNS, News site, search engine..) and by the UAs. The crawlers can cache and serve the signed exchange of the content in their own server. The UAs can provide the users with a way to save the page in signe exchange format. And also signed exchange alternate links can be used to recursively prefetch appropriate subresource signed exchanges while prefetching the main resource signed exchange.
	We want to allow the publisher of a resource to declare that a signed exchange is available holding the content of either that resource or one of its subresources. We expect aggregator sites (SNS, News site, search engine..) to use this to cache the signed version of a resource in order to serve it to their users. We expect UAs to use this to allow users to save the page in signed exchange format. When the publisher identifies a same-origin signed exchange for a cross-origin subresource, the UA can use that information to recursively prefetch the subresource without exposing its speculative activity across origins.
	[`<link rel="alternate" type="application/signed-exchange" href=...>`](https://html.spec.whatwg.org/multipage/links.html#rel-alternate) and the equivalent `Link` header are already defined to declare that the referenced document is a reformulation of the current document as a signed exchange. To offer signed exchanges for subresources, we propose to use the [`anchor` parameter](https://tools.ietf.org/html/rfc8288#section-3.2) to identify the replaced subresource. This may be the first use of the `anchor` parameter in the web platform.

[horo-t]

Done

[jyasskin]

Could you wrap lines at 80 columns?

[horo-t]

done

[jyasskin]

Suggested change

We want to extend the usage of the existing [rel=alternate](https://html.spec.whatwg.org/multipage/links.html#rel-alternate) link header for signed exchange. Using this link header, the content publishers can declare that the resource is available in signed exchange format. This can be used both by the crawlers of aggregator sites (SNS, News site, search engine..) and by the UAs. The crawlers can cache and serve the signed exchange of the content in their own server. The UAs can provide the users with a way to save the page in signe exchange format. And also signed exchange alternate links can be used to recursively prefetch appropriate subresource signed exchanges while prefetching the main resource signed exchange.

We want to extend the usage of the existing [rel=alternate](https://html.spec.whatwg.org/multipage/links.html#rel-alternate) link header for signed exchange. Using this link header, the content publishers can declare that the resource is available in signed exchange format. This can be used both by the crawlers of aggregator sites (social networks, News site, search engine..) and by the UAs. The crawlers can cache and serve the signed exchange of the content in their own server. The UAs can provide the users with a way to save the page in signe exchange format. And also signed exchange alternate links can be used to recursively prefetch appropriate subresource signed exchanges while prefetching the main resource signed exchange.

I think SNS means "social networking service", from https://en.wikipedia.org/wiki/SNS, but I had to look it up. We should expand acronyms at least the first time we use them, but I think we can just avoid this one.

[horo-t]

done

[jyasskin]

Suggested change

We want to extend the usage of the existing [rel=alternate](https://html.spec.whatwg.org/multipage/links.html#rel-alternate) link header for signed exchange. Using this link header, the content publishers can declare that the resource is available in signed exchange format. This can be used both by the crawlers of aggregator sites (SNS, News site, search engine..) and by the UAs. The crawlers can cache and serve the signed exchange of the content in their own server. The UAs can provide the users with a way to save the page in signe exchange format. And also signed exchange alternate links can be used to recursively prefetch appropriate subresource signed exchanges while prefetching the main resource signed exchange.

We want to extend the usage of the existing [rel=alternate](https://html.spec.whatwg.org/multipage/links.html#rel-alternate) link header for signed exchange. Using this link header, the content publishers can declare that the resource is available in signed exchange format. This can be used both by the crawlers of aggregator sites (SNS, News site, search engine..) and by the UAs. The crawlers can cache and serve the signed exchange of the content in their own server. The UAs can provide the users with a way to save the page in signed exchange format. And also signed exchange alternate links can be used to recursively prefetch appropriate subresource signed exchanges while prefetching the main resource signed exchange.

[jyasskin]

Suggested change

	- While the user of the UA is browsing an article (article.html), and if there is a signed exchange alternate link, the UA can provide the user with a way to save the page in signe exchange format. The saved file can be used to share with other users.
	- While the user of the UA is browsing an article (article.html), and if there is a signed exchange alternate link, the UA can provide the user with a way to save the page in signed exchange format. The saved file can be used to share with other users.

[jyasskin]

Suggested change

	1. And the inner response of the main resource signed exchange (article.html.sxg) has a preload header and an allowed-alt-sxg header:
	To prevent an attacker from loading an incompatible version of the subresource, the resource _inside_ the signed exchange has to identify the exact version of the replacement signed exchange using a `Link: ... rel="allowed-alt-sxg"` with the hash of the signed headers (which themselves include a hash of the content).
	To prevent a tracker from conveying a user ID in their choice of which subresources to prefetch, the inner resource has to preload the same subresources that the aggregator prefetches.

[horo-t]

done

[jyasskin]

Suggested change

	1. If the user clicks a link the article’s signed exchange, both the main resource of the article and the script are loaded from the prefetched signed exchanges.
	If the user navigates to the expected article, both the main resource of the article and the script subresource are loaded from the prefetched signed exchanges.

[horo-t]

Done

[jyasskin]

Also, to prevent tracking (user ID transfer), if the aggregator failed to prefetch a subresource that the main resource preloads, the UA must drop all of the subresource prefetches. If the aggregator prefetches a superset of the preloaded subresources, the UA must drop the ones that weren't preloaded.

[horo-t]

Done

[jyasskin]

Probably just remove this sub-header.

[horo-t]

Done

[jyasskin]

Suggested change

	While processing preload link HTTP headers in prefetched main resource signed exchange’s inner response:
	While prefetching an HTML resource:

Then write an explicit loop that checks if every preload has a matching and allowed prefetch before deciding to use all of the prefetches.

[horo-t]

Done

[horo-t]

Thank you for the review.

[horo-t]

Done

[horo-t]

done

[horo-t]

Deleted this whole sub-section.

[horo-t]

Done.

[horo-t]

Done.

[horo-t]

Done

[horo-t]

Done

[horo-t]

Done

[horo-t]

Done

[horo-t]

done

[jyasskin]

And to prevent the distributor from selecting a version of the subresource that isn't compatible with the selected version of the main resource, which might introduce a security hole.

[horo-t]

Done.

[horo-t]

Merged to one explainer.
https://github.com/horo-t/webpackage/blob/add-subresource-signed-exchange/explainers/signed-exchange-subresource-subtitution-explainer.md

Please review this.

[jyasskin]

This should start by describing the user-facing problem we want to solve, as described in https://github.com/w3ctag/w3ctag.github.io/blob/master/explainers.md.

Here, that might be the following, but please double-check that it actually captures what you mean, and that it's reasonable readable:

Users want to see the result of their clicks as fast as possible. This goal benefits from letting a site tell the UA to prenavigate to the particular outbound link(s) it thinks the user is most likely to click on. However, naively prenavigating to a cross-origin link leaks that user visited the referring page, which the referrer shouldn't do before the user has clicked. The referrer can safely prenavigate to a referrer-origin signed exchange for the top-level HTML of that link, but the UA still can't prefetch that link's subresources without leaking the same information about the user.

We want the referrer to be able to identify that a particular subresource of a prenavigated link is available as a signed exchange served by their own organization. The Link: <subresource.sxg>; rel="alternate", type="application/signed-exchange"; anchor="subresource" header is already defined to identify such alternate forms, where the anchor parameter states that the alternate form is for a resource other than the one the Link header is attached to.

Arbitrarily replacing a target link's subresources is unsafe for several reasons, so we propose that the target link opt into particular replacements by including a link with rel=allowed-alt-sxg.

We think the ` formulation is also useful for two other purposes:

1. Identifying to a UA or web crawler that the page they're visiting is available as a signed exchange that the user or crawler could download and then send to other users peer-to-peer. This doesn't need either rel=allowed-alt-sxg or the anchor parameter.
2. Identifying that some cross-origin subresources are available as same-origin signed exchanges. This needs the anchor parameter, but as long as the instruction to replace subresources is embedded in the document whose subresources are being replaced, it doesn't need rel=allowed-alt-sxg.

[horo-t]

I think we don't need "We think ..." in this explainer.
They are out of scope of this explainer.

[jyasskin]

Is this true? Who is it exposed to and under what circumstances? When is the alternative SXG even in the HTTP cache? Which partition?

[horo-t]

Changed to

This feature exposes the 1 bit information "the referrer page has prefetched the signed exchange subresources or not" to the publisher.

[jyasskin]

Say what the limitations accomplish here, not just that some phrases exist in other parts of this document.

[horo-t]

Added

Thanks to these limitations, this feature exposes only 1 bit information to the publisher.

[jyasskin]

Also, any personal information that was incorrectly included in a signed exchange would be the information of the aggregator that fetched the SXG, and not the end user.

The use of <link rel=alternate> to identify the SXG for the current page could inform the UA to omit credentials in fetching that SXG, which would prevent any personal information from being accidentally included.

[horo-t]

Added.

[horo-t]

Thank you very much for reviewing.

[horo-t]

Done.
If we change the syntax of imagesrcset, existing browsers may not understand the new syntax. I think we should avoid it.

[horo-t]

Done.
Ah, yes. We may be able to allow same-origin navigations.
But I prefer stricter restrictions for privacy and security.

[horo-t]

Done.
How about this?

[horo-t]

Changed to

If there are multiple subresource preloads that are provided by prefetches on
the previous page in signed exchange format

[horo-t]

Done.

If we don't need to think about privacy, when the HTTP cache has "lib.js", UAs don't need to fetch "lib.js.sxg" when the UA see rel=preload and rel=allowed-alt-sxg and rel=alternate for better performance. But we can't do that for the privacy reason.

[jyasskin]

This looks much better! Thank you for bearing with the long review.

I'm approving now, but feel free to ask for another round if you have more questions about my comments here.

[jyasskin]

I don't have a feeling for whether we're going to want prefetch or prenavigate here. I bet the TAG will ask too, so have an answer ready.

[horo-t]

Added Note.

[jyasskin]

"prenavigating" or "prefetching"?

[horo-t]

Added a link to the github issue.

[horo-t]

Thank you very much!

[horo-t]

Added Note.

[horo-t]

Added a link to the github issue.