preload, destinations, and module scripts

[domenic]

The problem

Given <link rel="preload" href="foo.js" as="script">, we don't know whether foo.js will be a classic script or module script. This means that we can't parse it ahead of time. Additionally, for module scripts I'd expect preloading the module script to also preload its dependencies.

Potential solutions

We could solve this in one of two ways, as far as I can see:

1. <link rel="preload" href="foo.js" as="module"> or some other similar destination (e.g. modulescript)
2. <link rel="preload" href="foo.js" as="script" type="module">

(2) was initially rather attractive to me, for matching the syntax used by the <script> element. Note that there's no conflict with the existing semantic of type="" being a MIME type, since in practice that is not used by any part of the HTML or preload specs.

But now I am less sure. It seems hard to spec it in a clean way. We'd either need to thread the type="" metadata through all the fetch locations (including e.g. service worker, not just the preload spec, right?), or we'd need to create some sort of "shadow destination", so breaking the 1:1 mapping of as="" and request destinations. That sounds not great.

I'd love thoughts on the best way to go here. If (1) is the way to go then we can just Bikeshed the destination name and update HTML to use it when fetching module scripts.

/cc @addyosmani @yoavweiss @whatwg/modules

[yoavweiss]

I strongly prefer (1) as I think (2) can cause serious confusion, even if we'd find a way to cleanly spec it.

One example where type is currently used (and encouraged) is:
<link href="foo.woff2" rel=preload as=font type="font/woff2">

I think it won't be trivial to explain why type means one thing for some as values, but something else for others.

[domenic]

I disagree on the explanatory issues, but setting that aside for now, why is type used and encouraged there when the preload spec does not use type="" at all? Are implementations doing nonstandard processing of the type="" attribute that is not in the spec?

[yoavweiss]

Hmm, you're right that type is missing from the "obtain the preload resource" processing model (It is present in "appropriated times" processing.)
I'll file an issue.

[annevk]

How would the type attribute translate into a fetch() call?

(The real problem here is that JavaScript modules don't have their own MIME type. If you want different parsing, you should communicate that there.)

[yoavweiss]

@annevk - I think that varies based on the option we would choose to take.

Current preload implementation (and spec's spirit, despite processing model omissions that @domenic pointed out) treats type (and media) as a "barrier" before fetching the resource. If type is an unsupported media type, the resource should never be fetched. As such, I'm not sure how type should be translated to fetch(), but maybe we're missing a "does this mime type work for this resource type" primitive.

In the (2) option @domenic is proposing, type would have an impact on the resource fetching behavior (it will enable us to change the type of script we're fetching, which can impact ability to ahead-of-time processing, preloading dependencies, etc). That would mean that type should be piped into fetch() in these cases, but not necessarily in others (e.g. fonts and images, which use type to determine "do I preload this at all?")

[jakearchibald]

Somewhat related: We're investigating caching parsed versions of scripts when they're added to the cache API & we've hit a similar problem.

Our current plan is to parse as a script, then try parsing as a module if it bails. We wouldn't have to do this if the info was on the request object. But meh, we're just playing with ideas right now.

[yoavweiss]

@jakearchibald - IIUC, defining a module as the request's destination would solve both cases, right?

[jakearchibald]

@yoavweiss only if there was a way of creating a request object with that destination.

[yoavweiss]

Right... That seems like something we'd want to do anyway.
(Potentially by adding destination to RequestInit).

Talking to @slightlyoff last week, he mentioned that currently there's no way for SW to fetch a script as a script. So in terms of network priority, an altered script request will have a significantly lower priority than an equivalent unaltered request, which isn't great.

[annevk]

From what I remember the problem with that was actually making sure it is indeed used for the stated purpose. It's not entirely clear to me preload guarantees that at the moment, probably in part because the preload cache is not defined...

Because if it's not used for the stated purpose, you can circumvent CSP to some extent, which uses these tags.

[yoavweiss]

Doesn't an empty destination let you circumvent CSP in similar ways?

Preload's implementation in Blink/WebKit currently prevents that by using the same request pipelines that prevent such "type-mismatch reuse" on regular resource requests.
(so that <img src=foo><script src=foo></script> send out two different requests, at least as far as the rendering engine is concerned). I'm not aware of those pipelines and checks being specced anywhere.

[annevk]

Empty should result in the ultimate fallback of CSP, so no, I don't think so.

And yeah, preload not being defined has been a known problem for a while, I wish it were fixed. (See also #354.)

[yoavweiss]

Empty should result in the ultimate fallback of CSP, so no, I don't think so.

Oh, OK. I thought empty is subject to connect-src for some reason

[domenic]

OK, so it sounds like there's more appetite for (1), a new destination. I can work on the appropriate spec PRs after we settle the remaining questions:

1. Is it OK to have recursive preload behavior, i.e. it fetches the whole module script tree? Basically, I think that would be better, but maybe it doesn't fit with the conception of preload as "declarative fetch", so I wanted to check with people first.
2. Do we also duplicate all the other script-type destinations? I.e. do we create "moduleserviceworker", "modulesharedworker", "moduleworker"? (Another reason why type=module seems nicer...)
3. Is "module" a good destination name, or should it maybe be "modulescript"?