Speculations over HTTP - inconsistency with prefetch and prerender

[tunetheweb]

Currently prerender is permitted over HTTP and HTTPS, while prefetch only works over HTTPS.

While there some differences (prefetch can apply in cross-origin context while prerender cannot), the inconsistency is a little confusing.

We have been moving towards restricting powerful APIs to HTTPS-only it would make more sense to me to restrict prerender, rather than relax prefetch, but either way I think we should resolve the inconsistency.

[domenic]

Based on some Chrome data, 0.2% of prerenders are over non-secure HTTP. I think we should disable it.

[jeremyroman]

I think the additional reason here is to diminish the risk of user activity being disclosed to folks able to sniff network traffic (e.g., public Wi-Fi) unless the user really wants to go there (in which case it's the only way to satisfy their intent).

Filed https://crbug.com/340895233 on the Chromium side; @domenic do you want to triage/prioritize this issue and the Chromium bug from here (or ask someone else in Tokyo to)?