Feature Policy: lazyload

ehsan-karamad commented 6 years ago

Proposing a new feature policy for lazy-loading which will overwrite the default or specified behavior of lazyload attribute for <iframe> and <img>. The proposed name for the feature is lazyload.

The lazyload attribute (for an <iframe> or <img>) takes on three values of auto (decision of lazy-loading is deferred to the user agent), on (the contents will be loaded lazily), off (the contents will not be loaded lazily).

The proposed lazyload feature is a parameterized feature which takes one of the three values of:

auto: the default behavior of lazyload attribute is not altered (user agent decides) .
off: the default behavior of lazyload is set to off. For example, if the site www.example.com sets its header policy to Feature Policy: lazyload 'self'(off), then
```
<iframe src="https://www.example.com/a" lazyload="on"></iframe>
```
will still load the contents lazily due to the defined attributes, but
```
<iframe src="https://www.example.com/b"></iframe>
```
will not load the contents lazily since the feature is set to off by default.
force: ignores the value of lazyload attribute and enforces it to on for all <iframe> and <img> . For example, if a site sets its header policy to Feature Policy: lazyload *(force) then all <iframe>'s and <img>'s from all domains will be loaded lazily. For example in
```
<iframe src="http://www.example.com/" lazyload="off"></iframe>
```
the provided attributed is ignored and the contents will be loaded lazily due to policy enforcement. Also, since the lazyload attribute setting is in violation of the lazyload feature, such a usage may trigger a violation error.

The feature can also be set through container policies, for instance:

<iframe allow="lazyload *(force)" src="https://www.example.com" lazyload="off"></iframe>

which will enforce lazy loading for all domains. This would include https://www.example.com.

Malvoz commented 6 years ago

Just to clarify, I believe you missed the single quotes for the self and none values. And I would assume we set (auto|off|force) flags outside the single quotes? e.g. Feature Policy: lazyload 'self'(force) and the all (*) directive like so: Feature Policy: lazyload *(force).

ehsan-karamad commented 6 years ago

Thanks you are right. I fixed the missing single quotes for self.

alvarotrigo commented 5 years ago

Any way to detect whether the browser supports this feature or not? So we can use other lazy load libraries in case it doesn't ?

triblondon commented 5 years ago

Doesn't this feature have a really confusing name? I'm reading https://github.com/w3c/webappsec-feature-policy/blob/master/policies/lazyload.md, where it says:

Feature Policy: lazyload 'self' https://example.com would not allow synchronous loading for any or <img> (that is not yet in the viewport) from origins other than 'self' or <a href="https://example.com">https://example.com</a>.</p> </blockquote> <p>So, wait, if I apply the <code>lazyload</code> policy to example.com, then everything <strong>except</strong> example.com enforces lazy loading? I read it like 6 times and I can't see how that makes any sense...</p> <p>Suggestions: <code>greedy-load</code>, <code>preload-offscreen</code></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ehsan-karamad"><img src="https://avatars.githubusercontent.com/u/12000565?v=4" />ehsan-karamad</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>Any way to detect whether the browser supports this feature or not? So we can use other lazy load libraries in case it doesn't ?</p> </blockquote> <p>I think on Chrome 74 with "Experimental Web Platform" flag off, |el.lazyload| would return <code>undefined</code>. However, it would return <code>auto</code> if the flag is on.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ehsan-karamad"><img src="https://avatars.githubusercontent.com/u/12000565?v=4" />ehsan-karamad</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>Doesn't this feature have a really confusing name?</p> </blockquote> <p>I agree the name is confusing; it is supposed to suggest the <em>full control over the <code>lazyload</code> attribute</em>, i.e., of disabled you cannot do certain things. Another alternative we are thinking is the term<code>eager-loading</code>. I like the <code>preload-offscreen</code> as well since it is very descriptive of what the policy does.</p> <blockquote> <p>I'm reading <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/policies/lazyload.md">https://github.com/w3c/webappsec-feature-policy/blob/master/policies/lazyload.md</a>, where it says: Feature Policy: lazyload 'self' <a href="https://example.com">https://example.com</a> would not allow synchronous loading for any <iframe> or (that is not yet in the viewport) from origins other than 'self' or <a href="https://example.com">https://example.com</a>.</p> <p>So, wait, if I apply the lazyload policy to example.com, then everything except example.com enforces lazy loading? I read it like 6 times and I can't see how that makes any sense...</p> <p>Suggestions: greedy-load, preload-offscreen</p> </blockquote> <p>So, this feature is about the full right to use the <code>lazyload</code> attribute (and essentially the <code>off</code> state) on <code><img></code> and <code><iframe></code> elements. This means if the feature is disabled for an origin, then the origin <em>cannot</em> avoid lazyloading some content by setting the <code>lazyload</code> attribute value to <code>off</code>. If they did there will be enforcement (i.e., <code>off</code> changes to <code>auto</code> and browser decides what is best to do) and a policy violation report is generated.</p> <p>For the specific example, if a website would define</p> <pre><code>Feature Policy: lazyload http://example.com</code></pre> <p>then any embedded content from <code>http://example.com</code> <em>is</em> allowed to use <code>lazyload=off</code> on its own <code><img></code> and <code><iframe></code> elements. However if the website embeds a <code>http://foo.com</code> which tries to do that they would end up violating the feature (e.g., <code>lazyload</code> enforced and a violation report is generated).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ehsan-karamad"><img src="https://avatars.githubusercontent.com/u/12000565?v=4" />ehsan-karamad</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>Closed by accident :).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/triblondon"><img src="https://avatars.githubusercontent.com/u/1735391?v=4" />triblondon</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>So, this feature is about the full right to use the <code>lazyload</code> attribute (and essentially the <code>off</code> state) on <code><img></code> and <code><iframe></code> elements. This means if the feature is disabled for an origin, then the origin <em>cannot</em> avoid lazyloading some content by setting the <code>lazyload</code> attribute value to <code>off</code>. If they did there will be enforcement (i.e., <code>off</code> changes to <code>auto</code> and browser decides what is best to do) and a policy violation report is generated.</p> </blockquote> <p>Yes, I understand that, but that's because I've read it six times :-) I really hope we can rename. <code>eager-loading</code> would work but sounds a bit too positive, so I would worry that people would throw it in thinking it sounded like a best practice. If you like <code>preload-offscreen</code> that sounds like a good option, as long as the semantics of the 'lazyload' attribute continue to be about viewport intersection, which is explicit in the naming of 'preload-offscreen' but not in 'lazyload'.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ehsan-karamad"><img src="https://avatars.githubusercontent.com/u/12000565?v=4" />ehsan-karamad</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>There is a <a href="https://github.com/w3c/webappsec-feature-policy/pull/293">PR</a> which would rework and rename the proposed <code>lazyload</code> policy. The new policy modifies the default/<code>auto</code> behavior of the <code>loading</code> <a href="https://github.com/whatwg/html/pull/3752">attribute</a>. The new name is <code>loading-frame-default-eager</code> and by turning it off, the <code><iframe></code>s inside the document will not load eagerly unless they have <code>loading="eager"</code> explicitly set. A similar policy should be proposed for <code><img></code>.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/triblondon"><img src="https://avatars.githubusercontent.com/u/1735391?v=4" />triblondon</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p><code>loading="eager"</code>? Not <code>allow="loading-frame-default-eager *"</code>?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/Malvoz"><img src="https://avatars.githubusercontent.com/u/26493779?v=4" />Malvoz</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>@ehsan-karamad </p> <p>Both the <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/policies/loading-frame-default-eager.md">loading-frame-default-eager.md</a> and <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/policies/loading-image-default-eager.md">loading-image-default-eager.md</a> documents seem to be missing some sentencing in the "What does this mean" section:</p> <blockquote> <p>With the <code>loading-frame-default-eager</code> policy, developers could prioritize the loading of different inline frames on a web page. This however could become a cumbersome process and not quite scalable for larger web sites; specially given that applying the attribute is origin-agnostic. The proposed policy aims to resolve this issue by changing a browser's default decision for <code>loading</code> behavior.</p> </blockquote> <p>I think before the sentence: "<em>This however could become a cumbersome process [...]</em>" it should be explained that (e.g) "<em>Developers may use the <code>loading</code> attribute to specify the loading behavior of an {image|iframe}.</em>".</p> <p>Is that correct? If so, I can PR unless you want to do it.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ehsan-karamad"><img src="https://avatars.githubusercontent.com/u/12000565?v=4" />ehsan-karamad</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>@ehsan-karamad</p> <p>Both the <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/policies/loading-frame-default-eager.md">loading-frame-default-eager.md</a> and <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/policies/loading-image-default-eager.md">loading-image-default-eager.md</a> documents seem to be missing some sentencing in the "What does this mean" section:</p> <blockquote> <p>With the <code>loading-frame-default-eager</code> policy, developers could prioritize the loading of different inline frames on a web page. This however could become a cumbersome process and not quite scalable for larger web sites; specially given that applying the attribute is origin-agnostic. The proposed policy aims to resolve this issue by changing a browser's default decision for <code>loading</code> behavior.</p> </blockquote> <p>I think before the sentence: "<em>This however could become a cumbersome process [...]</em>" it should be explained that (e.g) "<em>Developers may use the <code>loading</code> attribute to specify the loading behavior of an {image|iframe}.</em>".</p> <p>Is that correct? If so, I can PR unless you want to do it.</p> </blockquote> <p>Thanks for pointing this out. Yes. I believe this is would look better. Please send a PR and also have @clelland take a look.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/Malvoz"><img src="https://avatars.githubusercontent.com/u/26493779?v=4" />Malvoz</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>@RGHuhn</p> <p>Yes, as stated in <a href="https://github.com/w3c/webappsec-feature-policy/issues/193#issuecomment-484109871">https://github.com/w3c/webappsec-feature-policy/issues/193#issuecomment-484109871</a> the <code>lazyload</code> policy was changed, and divided into 2 policies, namely <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/policies/loading-image-default-eager.md"><code>loading-image-default-eager</code></a> and <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/policies/loading-frame-default-eager.md"><code>loading-frame-default-eager</code></a>.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/domfarolino"><img src="https://avatars.githubusercontent.com/u/9669289?v=4" />domfarolino</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>As @Malvoz mentioned, this policy has been split in two, so can this be closed? Also, I'm curious as to the reasoning for splitting this into image- and frame-policies in the first place. Is having one policy to control all <code>loading=auto</code> behavior too coarse/powerful?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/eeeps"><img src="https://avatars.githubusercontent.com/u/3441390?v=4" />eeeps</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Should this be revisited, in light of the Permissions-Policy → Document-Policy/Structured Headers changes?</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

WICG / document-policy

Feature Policy: lazyload #6