tl;dr: We'd like to define how to prefetch and prerender content with more privacy-focused direction, and we think we'll need a mechanism for authors to become eligible since we think it is likely to break existing content otherwise.

Proposed solution explainer: https://github.com/jeremyroman/alternate-loading-modes

In order to making the experience of loading on the web faster, user agents employ prefetching and prerendering techniques. However, making cookies and other credentials available to the origin server or script may be inconsistent with the privacy objectives of the user or of the referring site.

First, consider the fetch of the resource. User agents would ideally prefetch the content in a way that does not identify the user. For example, the user agent could:

• send a request without credentials (e.g., no Cookie or Authorization request header)
• establish the connection from a different client IP address (e.g., using a proxy server or virtual private network, if available)
• use a previously fetched response, including one previously fetched by a third party if it can be authenticated

However, because this (intentionally) obscures the user's identity, the response document cannot be personalized for the user. If it is used when the user navigates, the user will notice that they are not logged in (even if they should be), and other surprising behavior. A page designed with this in mind could "upgrade" itself when it loads, by personalizing the page based on data in unpartitioned storage and by fetching personalized content from the server.

Second, consider prerendering the page. User agents would ideally allow HTML parsing, subresource fetching, and script execution in a way that does not identify the user or cause user-visible annoyance. For example, the user agent could:

• apply mitigations as above to subresource and scripted fetches
• deny scripted access to unpartitioned storage, such as cookies and IndexedDB
• deny permission to invoke window.alert, autoplay audio, and other APIs inappropriate at this time

In this case, not only is the HTML resource not personalized, but script will observe restrictions that would not ordinarily apply until navigation actually occurs. A page designed with this in mind could tolerate this at prerender time, and "upgrade" itself on navigation by accessing storage or fetching from the network.

Since existing web pages are unlikely to behave well with these restrictions today, and it is impractical for user agents to distinguish such pages, we propose a lightweight way for a page to declare that it is prepared for this and will, if necessary, upgrade itself when it gains access to unpartitioned storage and other privileges.

There has been previous discussion along these lines in w3c/resource-hints#82. (It also proposes a new prenavigate hint; defining triggers for these loading modes is not yet part of this proposal.)