whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
8.11k stars 2.67k forks source link

Privacy-preserving single-keyed cache via declarative preloading #9365

Open josephrocca opened 1 year ago

josephrocca commented 1 year ago

I'm almost certainly missing something here, and I'm not sure if this is the best venue to ask a question like this (I considered SO - seems off-topic), but:

I'm wondering if it's possible to allow web devs to add some sort of declaration to their <head> which basically says "don't start running scripts on the page until these resources have been preloaded", such that the page's scripts can never extract information based on the load timing of those resources, because from the script's perspective, they always load instantly.

This obviously wouldn't cover all use cases where caching is important, but it seems like there would be quite a few cases where this would be useful. And it seems like it aligns with the emerging paradigm where scripts aren't actually loaded initially - i.e. server rendering + some sort of eventual 'hydration'.

My only guess here is that there's a lot of implementation complexity in preventing scripts from running like this? Relative to the predicted benefits of something like this, I mean.

annevk commented 1 year ago

There's a long thread about shared caches on https://github.com/w3c/webappsec-subresource-integrity/issues/22. That's kind of the canonical issue on this.

Apart from running script, there's also networking side channels, timing APIs, and probably some more things to consider.