domenic
commented
1 month ago Based on some Chrome data, 0.2% of prerenders are over non-secure HTTP. I think we should disable it.
Open tunetheweb opened 1 month ago
domenic
commented
1 month ago Based on some Chrome data, 0.2% of prerenders are over non-secure HTTP. I think we should disable it.
jeremyroman
commented
1 month ago I think the additional reason here is to diminish the risk of user activity being disclosed to folks able to sniff network traffic (e.g., public Wi-Fi) unless the user really wants to go there (in which case it's the only way to satisfy their intent).
Filed https://crbug.com/340895233 on the Chromium side; @domenic do you want to triage/prioritize this issue and the Chromium bug from here (or ask someone else in Tokyo to)?
Currently prerender is permitted over HTTP and HTTPS, while prefetch only works over HTTPS.
While there some differences (prefetch can apply in cross-origin context while prerender cannot), the inconsistency is a little confusing.
We have been moving towards restricting powerful APIs to HTTPS-only it would make more sense to me to restrict prerender, rather than relax prefetch, but either way I think we should resolve the inconsistency.