Sending a Purpose: prefetch header for prefetched resources
#74
Comments
|
Sounds like a good plan 👍 |
|
To what extent does this header interact with |
|
Anne suggests we specify this header in Fetch, by keying off the initiator. He points out that we need to also decide which of the lists starting at https://fetch.spec.whatwg.org/#cors-safelisted-request-header it should appear in. We can imitate whatwg/fetch#751 to actually add the header. |
|
FWIW, I suspect we probably don't want to add it to any list. |
|
While discussing how cross-origin prefetch could be processed we came across this one; if we want to make all cross-origin prefetches non no-cors (and it feels we should) we probably should 1) document this header in the spec, and 2) add it to the reasonable cors safelist or consider renaming the header name to something like 'Sec-'. |
|
@annevk do you have any specific reason why we don't want to? I'm working on re-designing of Chrome CORS implementation so that we can do the most things outside the renderer processes safely, and notice that this Purpose header triggers CORS preflight in the new implementation. If we allows JavaScript to specify this, we want to add it to the CORS-safelisted request-header (https://fetch.spec.whatwg.org/#cors-safelisted-request-header). Otherwise, adding to the forbidden header name (https://fetch.spec.whatwg.org/#forbidden-header-name), or using 'Sec-' prefixed header name sounds preferable answer for this. IMO, the purpose header should be fully controlled by user-agents. So, forbidden is the right list. |
|
In that case adding the Ideally these lists are largely treated as immutable as otherwise clients and servers have moving targets for maintaining SOP protections. |
|
@annevk thoughts on wholesale safelisting anything with a |
|
@yoavweiss I think that's the rough consensus. That browsers are allowed to emit new |
|
@yoavweiss interesting, that definitely seems like something that's worth splitting out and tackling separately. |
|
@annevk - will do! |
|
As I also commented at #880, Sec- prefix is already in the Fetch spec. We should not move it from the forbidden list to the safelist. It causes a security risk. Since Sec- headers are ensured that they are not set by JavaScript but by user-agents, servers can accept them safely. Otherwise, we should make a CORS preflight request. |
|
Anyway, it looks we agreed that renaming the Purpose header to Sec-Purpose is preferable. This header haven't spec-ed until today, but it will be a breaking change for users who already relies on that. @yoavweiss , do you know how widely is this header already known and used? Or any concern if I make this change in the 75? |
No particular concerns, but it seems like something that would benefit from an Intent. |
|
Hi @yoavweiss , just checking in here. Our team at Amazon is looking to leverage the "purpose: Prefetch" request header. Is it advisable to still use the same header or has the working group formalized a header format for prefetch requests? |
|
No progress to report on just yet. Sorry. I'm hoping progress would be made here soon... |
@mikewest at https://bugs.chromium.org/p/chromium/issues/detail?id=942976#c14 expressed not wanting both Could it make sense to add Perhaps it is just an issue with naming, and this could be a header like |
|
I might have misunderstood how prefetch integrates into Fetch. My understanding (based on the table just below https://fetch.spec.whatwg.org/#request-destination-script-like), is that If things work differently, such that prefetched resources have a defined destination, then I agree that it would make sense to define some other mechanism of representing it. Would exposing the initiator directly be reasonable? That would have the advantage of exposing a "download" intent as well, which could be helpful when servers are making decisions. If not, then a |
|
Good point, this was actually a similar discussion we were also having, and I filed a new bug at whatwg/fetch#1252 about whether destination should be the empty string for these. I don't see an issue with exposing the initiator but am not well-versed in the implications of doing so. Assuming it is acceptable, would it be exposed as something like Sec-Fetch-Initiator in that case? |
|
I think my only concern with If there's good reason not to mirror the value, then I think it'd be worth looking into |
|
/cc @arturjanc and @lweichselbaum, who might have thoughts about initiator values in request headers. |
|
I fully agree with the approach described in #74 (comment) and don't have much to add. Specifically, |
|
Chromium is using If we want to properly specify that behavior, it makes sense to keep prefetches' destinations intact. If that's the case, |
|
If Chromium is doing a thing, properly specifying the thing (or changing the thing so that it matches the existing spec) sounds like a good idea. :) I don't have strong feeling about the direction y'all choose here. I think either option we're discussing is defensible. Which would y'all prefer? |
|
Chromium's behavior has been trying to formulate things on top of the existing spec'ed concepts (i.e. initiator and destinations are orthogonal and prefetch also has as= attribute), we can remove the behavior with as= attribute if we want to reconsider the part, but we'll want to keep having some indication (at fetch layer) for 'prefetching resources for next navigation' cases anyways. The WIP spec text for the document-level prefetch (or prerender) is being developed/discussed here (in my understanding): https://github.com/jeremyroman/alternate-loading-modes/blob/main/fetch.md For prerendering if we mirror 'prerender' to the destination it feels it's a bit unclear what Sec-Fetch-Dest headers subresource fetch requests for prerender should use. If we just use 'prerender' it'll lose the real final destination context, but if we just use the final destination it'll lose the context that it's for prerendering. With these contexts I'd vote for Sec-Fetch-Pre{fetch,load,render}: ?1 (but can be convinced if others have reasons not to prefer this one / other better alternatives for above cases) |
|
It looks like Firefox sets an |
Continuation of #34498 this updates to send a `purpose: prefetch` header (related [w3c discussion](w3c/resource-hints#74)) when prefetching data routes and then on the server we skip revalidating when this header is set. When a client-transition is actually made we send a background HEAD (non-blocking) request to the data route without the `purpose: prefetch` header which signals a revalidation should occur if the data is stale. This helps alleviate the number of revalidations occurring currently caused by prefetches as a path can be prefetched but not visited during a session so may not need to be revalidated yet. Fixes: #17758 x-ref: #20521 x-ref: [slack thread](https://vercel.slack.com/archives/C031QM96T0A/p1645129445819139?thread_ts=1645124478.067049&cid=C031QM96T0A)
|
whatwg/html#8111 now specifies |
This replaces the existing `Purpose: prefetch` and `x-moz: prefetch` headers. Tests: web-platform-tests/wpt#35707. Part of whatwg/html#8111. Closes w3c/webappsec-fetch-metadata#84 and w3c/resource-hints#74. Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Chrome seems to be setting a
Purpose: prefetchheader for prefetched resources. I'm not sure what other implementations are doing.This is not documented in the spec, but seems to be something developers are interested in. (presumably in order to tell apart in their server-side analytics which resources were prefetched vs. which ones were explicitly needed by the browser)
We should probably add it to the spec (or decide that it's an awful, awful idea and file bugs against implementations that do that).
The text was updated successfully, but these errors were encountered: