Open KenjiBaheux opened 2 years ago
I recognise there are existing ways to plant evidence of unwholesome web browsing activity - but that doesn't mean its okay to introduce functionality to the web platform that lowers the bar to doing so.
At face value, the guidance seems to imply that we should never introduce any new mechanism for fetching content. But, getting things from the network is an on-going bread and butter for the web platform: WebTransport, anonymous iframes, JPEG XL decoding, ModuleServiceWorker, to name a few recent examples. This guidance seems highly impractical.
It's easier and more reliable* to fire a request for a will-get-you-into-trouble page with all the various means that already exists than it is to do so via a prerendering request. Furthermore, with the existing means, the response will be stored in the device's cache whereas with prerendering, the user needs to visit the page to leave a mark in the device's storage.
*: existing means are not "up to the browser", not controlled by a setting or user preferences (e.g. save data), or a group policy; unlike prerendering.
know more about how network monitoring systems differentiate between a normal request triggered explicitly by the user in the UA, a prerendered that the UA has decided to do on behalf of a user, and a fetch request made by a site without the users knowledge.
Typically, network monitoring systems only see things like plain text DNS lookups, TLS handshake with SNI if present, connections to specific IP addresses. Higher level things like purpose or the triggering mechanism are not visible by such systems. If such simple signals on the network were enough to get folks in trouble, then it should already be a huge problem today.
In short, prerendering doesn't bring anything interesting/new over existing mechanisms, and is in fact weaker given that it doesn't have unexpected repercussions on the device's storage.
From issue #101, there is a question about if/how cross-origin prerendering could be abused to incriminate a user subject to network monitoring.
The following scenario has been proposed as an example:
More concretely for the former scenario (my assumptions):
The second scenario appears to be similar enough in principle.