New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 605921 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Apr 2016
Cc:
pmeenan@chromium.org
igrigo...@chromium.org
csharrison@chromium.org
y...@yoav.ws
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

<link rel="dns-prefetch"> is not enabled on HTTPS origins

Project Member Reported by csharrison@chromium.org, Apr 22 2016 
The spec is here:
http://w3c.github.io/resource-hints/

It isn't totally clear, but from the description of the preconnect section it seems like DNS resolution should occur for HTTPS origins.

Note that the security policy for DNS prefetching is described here:
https://www.chromium.org/developers/design-documents/dns-prefetching

What's the correct approach here?

Comment 1 by igrigo...@chromium.org, Apr 22 2016 

From: https://www.chromium.org/developers/design-documents/dns-prefetching

> By default, Chromium does not prefetch host names in hyperlinks that appear in HTTPS pages. This restriction helps prevent an eavesdropper from inferring the host names of hyperlinks that appear in HTTPS pages based on DNS prefetch traffic.

Note that this policy is for *browser initiated* DNS-prefetch.

Declarative dns-prefetch hints provided by the content author should be respected regardless of the scheme. We should always process <link rel=dns-prefetch>, same as rel={prefetch, preconnect, prerender}.

Comment 2 by csharrison@chromium.org, Apr 22 2016

Status: WontFix (was: Untriaged)
Ah you're right. I misread the code, and assumed that all policy was read from Document::isDNSPrefetchEnabled, which is false for http sites.

However, that policy is only used for href scanning and hovering.

Marking as WontFix, because this is desired behavior.

Sign in to add a comment