Skip to content

Integrate with speculation rules #808

Open
vickiez wants to merge 4 commits into
w3c:mainfrom
vickiez:external-spec-rules
Open

Integrate with speculation rules #808
vickiez wants to merge 4 commits into
w3c:mainfrom
vickiez:external-spec-rules

Conversation

@vickiez
Copy link
Copy Markdown

@vickiez vickiez commented Mar 13, 2026
edited by pr-preview Bot
Loading

Adds the following:

From #776:

  • Handling of the new "speculationrules" request destination, which is used by the Speculation-Rules HTTP header

Note: No longer need to add inline-speculation-rules from #776 because it is redundant with the addition of the speculation-rules-src directive described below.

New additions:

  • New speculation-rules-src fetch directive that restricts the sources from which speculation rules may be loaded, whether via <script> elements or the Speculation-Rules HTTP response header
  • Fallback chain: speculation-rules-srcscript-src-elemscript-srcdefault-src, applied uniformly to both inline and external speculation rules
  • Handling of the "speculationrules" request destination now returns speculation-rules-src (removing the previous header exemption that returned null).

This reflects the agreed plan from whatwg/html#11697

Preview | Diff

@vickiez vickiez marked this pull request as draft March 16, 2026 21:53
@vickiez vickiez mentioned this pull request Mar 16, 2026
Open
domenic and others added 3 commits April 1, 2026 14:03
@domenic @vickiez
Integrate with speculation rules
6b1e81b 
This upstreams the monkeypatches from https://wicg.github.io/nav-speculation/speculation-rules.html#content-security-policy. At a high level, the additions are:

- A new directive, `inline-speculation-rules`, which can be used if developers want to block inline JavaScript `<script>`s but allow inline `<script type=speculationrules>`s. This is done by introducing a new script type, `script speculationrules`, to sit alongside the existing `script` and `script attribute` types; HTML passes this new value in.

- Handling of the new `"speculationrules"` request destination, which is used by the `Speculation-Rules` HTTP header. It cannot be blocked by CSP.
@vickiez
add external spec rules case
11be5ea
@vickiez
add speculation-rules-src directive with fallback chain
4e8aad7
@vickiez vickiez force-pushed the external-spec-rules branch from 22806ee to 4e8aad7 Compare April 1, 2026 21:05
@vickiez vickiez marked this pull request as ready for review April 1, 2026 21:05
@antosart
Copy link
Copy Markdown
Member

antosart commented Apr 2, 2026

We don't need the keyword inline-speculation-rules if we have speculation-rules-src, no? Developers will just be able to specify speculation-rules src 'unafe-inline'; script-src 'none' or something. I think having both is just confusing.

@hiroshige-g
Copy link
Copy Markdown

hiroshige-g commented May 8, 2026
edited
Loading

IIUC (please correct me if wrong) this PR contains a major behavior changes that would break existing websites without updates to pages' CSP :
Applying speculation-rules-src CSP directive to Speculation-Rules header-initiated requests to external speculation-rules JSON files (while previously CSP is exempted per https://chromestatus.com/feature/5123809745829888).

To avoid breakage, pages should e.g. add speculation-rules-src directive that allows the requests to the JSON files if the pages have e.g. script-src CSP directives that would forbid the requests (which is likely).

cc/ @tunetheweb @nhiroki WDYT?

FYI Also see whatwg/html#11697 (comment) whatwg/html#11697 (comment) and around for previous context for direction/planning around external speculation rules.

@hiroshige-g
Copy link
Copy Markdown

hiroshige-g commented May 8, 2026

Also this PR applies speculation-rules-src CSP directive instead of script-src-elem to <script type="speculationrules"> (i.e. inline speculation rules).
This would keep the existing behavior (because we'll anyway fallback to script-src-elem), if pages already have speculation-rules-src CSP directive (which is unlikely). This just opens a new option to specify speculation-rules-src without affecting more general script-src-elem.

@tunetheweb
Copy link
Copy Markdown
Member

tunetheweb commented May 8, 2026

Yes I thought we’d previously agreed that the HTTP Header version was out of scope? Because if you’ve the ability to set HTTP Headers then you’ve no guarantees on CSP anyway (since that is also usually set via HTTP Headers).

Also can I understand which this does for inline-speculation-rules for <script type="speculationrules">? Is this replacing that with the new speculation-rules-src: inline directive? That would cause breakage to anyone who’s already deployed this under the old name so we need to check the web compatibility of any such change.

@annevk
Copy link
Copy Markdown
Member

annevk commented May 10, 2026

CSP should apply to links in HTTP headers as well to remain consistent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@vickiez @antosart @hiroshige-g @tunetheweb @annevk @domenic