NEL scope different in the latest editor's draft and the original paper behind NEL
polcak opened this issue · 6 comments
As raised in the #150, the original paper behind NEL limits the scope of NEL to:
We can only collect information about requests that user agents issue when users voluntarily access services on the Web. We cannot issue requests in the background (i.e., outside of normal user activity), even though this prevents us from proactively ascertaining service reachability
However, the definition of normal user activity and limitations of NEL to the requests of normal user activity are not a part of the latest editor's draft. Is that intentional?
In particular:
- Is NEL supposed to collect information on requests initiated by installed webextensions?
- Is NEL supposed to collect information on requests initiated by web pages opened by a user while the user leaves the device while the browser is running?
- Is NEL supposed to collect information on requests initiated by web pages running in tabs that are not visible to the user (the user is interacting with another tab of the same browser).
- Is NEL supposed to collect information on requests initiated by web pages while the user switched to a different application (e.g. the browser is not active, is minimized, runs on a different desktop etc.)?
- Is NEL supposed to collect information on requests initiated by web pages while the user switched to a different application or browser window but the web page is still visible on the screen?
As raised in the #150, the original paper behind NEL limits the scope of NEL to:
We can only collect information about requests that user agents issue when users voluntarily access services on the Web. We cannot issue requests in the background (i.e., outside of normal user activity), even though this prevents us from proactively ascertaining service reachability
However, the definition of normal user activity and limitations of NEL to the requests of normal user activity are not a part of the latest editor's draft. Is that intentional?
As stated in #150 (comment), the concepts this phrase alludes are not existing web concepts.
- Is NEL supposed to collect information on requests initiated by installed webextensions?
I believe that the answer to that from an implementation perspective is no. (@clelland - please correct me if I'm wrong). I'm not sure how we can define that though, as I don't think Fetch has a concept of extension-initiated resources. (@noamr - am I missing it?)
- Is NEL supposed to collect information on requests initiated by web pages opened by a user while the user leaves the device while the browser is running?
Yes.
- Is NEL supposed to collect information on requests initiated by web pages running in tabs that are not visible to the user (the user is interacting with another tab of the same browser).
Yes.
- Is NEL supposed to collect information on requests initiated by web pages while the user switched to a different application (e.g. the browser is not active, is minimized, runs on a different desktop etc.)?
Yes.
- Is NEL supposed to collect information on requests initiated by web pages while the user switched to a different application or browser window but the web page is still visible on the screen?
Yes.
In short, if the web page can initiate a request, NEL should be able to report about it (to the reporting server the request's origin has set).
- Is NEL supposed to collect information on requests initiated by installed webextensions?
I believe that the answer to that from an implementation perspective is no. (@clelland - please correct me if I'm wrong). I'm not sure how we can define that though, as I don't think Fetch has a concept of extension-initiated resources. (@noamr - am I missing it?)
It's tricky. What are "requests initiated by web extensions"?
If the extension created an image with a src, then nothing makes it different from regular images.
Same if this is a main-world extension.
If the extension's content script calls fetch in its own realm/world, it's perhaps possible to somehow differentiate it using the realm concept but I don't exactly know how to word it.
There's a theoretical world where extensions could define their own NEL header, used only for requests which they initiate inside of their own world -- on extension pages, or as part of their own non-content scripts. Anything that doesn't directly affect the document. That's probably out-of-scope here, though.
Agreed that if an extension script injects an , and that subsequently causes an image to be requested, there's currently no way to distinguish that from any other image request. Is that a situation which we would filter out, if we could somehow attribute it to an extension, or should we say that this is fundamentally in scope for NEL?
There is no way to filter those out. The only ones you could filter out are direct fetch()
calls.
Next steps-- consider marking this issue as Done, but, file a new issue more narrowly scoped for work which was raised in this thread (i.e. what to do w/ Extensions)
My interpretation of that phrasing in the paper is "NEL should not allow giving the user agents a list of URLs and time intervals at which they should check them and report." So, in my opinion this can be closed.
To the specific point of web extensions: The user installed that extension so they presumably want those requests to happen.