Cross-site loads of signed packages should be done stateless and with no personalization

[johnwilander]

As brought up by @cramforce in https://github.com/WICG/webpackage/issues/422#issuecomment-485054801, we should require cross-site loads of signed packages to be stateless. Specifically:

• The request chain must be credential-less. Maybe we can leverage some Fetch policy here.
• It must be an HTTP GET request.
• The request URL must not have a query string or fragment.
• The path of the package request must be the same as the path on the target domain.

The above requirements are to ensure that cross-site tracking or personalization information is not transferred in the request for the package.

[dfabulich]

A common tracking technique is to put personalized information in the ETag, e.g. ETag: W/your-login-id-plus-content-hash

Thus, to be truly stateless, the request would also have to prevent conditional GET requests (If-None-Match, If-Modified-Since)

[davidben]

From the Chrome anti-tracking team, we agree that SXGs should require mitigations for cross-site information flow. We think the suggestions here should be adopted, though of course details like how to trigger such a credential-less navigation still need to be worked out.

A minor quibble/note, the last two points as written require a distinct distributor origin per publisher origin, which seems off. (It even risks the SXG prefetch leaking the distributor origin via DNS and SNI.) I would suggest rephrasing it as: the path + query string of the navigation needs to be some specific deterministic function of the SXG target URL. For instance, https://distributor.example/.well-known/sxg/[some encoding or cryptographic hash of target URL].