Skip to content

Integrate with speculation rules #776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Integrate with speculation rules #776

wants to merge 1 commit into from

Conversation

domenic
Copy link
Contributor

@domenic domenic commented Jul 10, 2025
edited by pr-preview bot
Loading

This upstreams the monkeypatches from https://wicg.github.io/nav-speculation/speculation-rules.html#content-security-policy. At a high level, the additions are:

  • A new directive, inline-speculation-rules, which can be used if developers want to block inline JavaScript <script>s but allow inline <script type=speculationrules>s. This is done by introducing a new script type, script speculationrules, to sit alongside the existing script and script attribute types; HTML passes this new value in.

  • Handling of the new "speculationrules" request destination, which is used by the Speculation-Rules HTTP header. It cannot be blocked by CSP.

This should be merged a bit after whatwg/html#11426. Otherwise it will reference the WICG draft.

Preview | Diff

@domenic domenic mentioned this pull request Jul 10, 2025
Merged
9 tasks
@domenic
Copy link
Contributor Author

domenic commented Jul 10, 2025

The build error appears to be preexisting.

@antosart
Copy link
Member

The build error should be fixed with #777.

@domenic
Integrate with speculation rules
8c2dcb5 
This upstreams the monkeypatches from https://wicg.github.io/nav-speculation/speculation-rules.html#content-security-policy. At a high level, the additions are:

- A new directive, `inline-speculation-rules`, which can be used if developers want to block inline JavaScript `<script>`s but allow inline `<script type=speculationrules>`s. This is done by introducing a new script type, `script speculationrules`, to sit alongside the existing `script` and `script attribute` types; HTML passes this new value in.

- Handling of the new `"speculationrules"` request destination, which is used by the `Speculation-Rules` HTTP header. It cannot be blocked by CSP.
@domenic domenic force-pushed the speculationrules branch from 16bb13b to 8c2dcb5 Compare July 10, 2025 06:58
@domenic
Copy link
Contributor Author

domenic commented Jul 10, 2025

Rebased!

@tunetheweb tunetheweb mentioned this pull request Sep 19, 2025
Merged
@domenic
Copy link
Contributor Author

domenic commented Sep 24, 2025

This is ready to merge!

mikewest
mikewest approved these changes Sep 24, 2025
View reviewed changes
Copy link
Member

@mikewest mikewest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM, and as it's landed in HTML it should meet the requirements we're starting to pull together for additions to CSP.

I'll wait a bit for @antosart to have any feedback, but I'm comfortable merging this at this point.

Thanks!

@antosart antosart mentioned this pull request Sep 24, 2025
Open
5 tasks
@antosart
Copy link
Member

This looks good to me, too, but see whatwg/fetch#1841 (comment). Would it make sense to provide more context and link to some reasoning on the decision of gating <script type="speculationrules"> behind script-src while completely exempting the header Speculation-Rules from CSP?

@domenic domenic mentioned this pull request Sep 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikewest mikewest mikewest approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@domenic @antosart @mikewest