Add uncapped preload headers for style, script assets

[aduth]

🛠 Summary of changes

Updates asset helpers to bypass internal stylesheet_link_tag and javascript_include_tag logic for handling preload response headers, appending preload headers without caps. As of rails/rails#48405 (Rails 7.1), preload headers added by tag helpers are capped at 1kb, which is very limiting, especially given our approach of loading many, smaller assets targeted as sidecar assets for UI components.

While the caps have created some incentives to be more intentional with preloading (e.g. #10612), we've already addressed the lowest hanging fruit, and a number of critical scripts are currently not being preloaded (e.g. reCAPTCHA behaviors on the sign-in screen).

References:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link

📜 Testing Plan

Verify that preload headers are included for all scripts and assets, including integrity or crossorigin directives as appropriate. Compare against https://secure.login.gov

curl -I http://localhost:3000

Verify that there are no style or script regressions in browsing the application, either in local development or in a review application.

[zachmargolis]

we should be able to directly assign this right? I'd go a step further an inline the entire thing, but that would make us have to wrap line 23 below

Suggested change

	crossorigin = true if local_crossorigin_sources?
	crossorigin = local_crossorigin_sources?

[aduth]

This branch was actually a few months old, and that change was one of the first things I tried editing when I resurrected it. But there's a significant difference between nil and false in how it's used with javascript_include_tag, which is the reason for the true if. I can't recall off the top of my head, but I'll make sure to add some test coverage for it when I write those.

[zachmargolis]

ah looks like the source code checks for "not nil" and "true"

maybe it would be easier if we updated local_crossorigin_sources? to match that expected format?

# Fake boolean to match expected values for `:crossorigin` option in `javascript_include_tag`
# @see ActionView::Helpers::AssetTagHelper#javascript_include_tag
# @return [true, nil]
def crossorigin
  true if Rails.env.development? && ENV['WEBPACK_PORT'].present?
end

[aduth]

I tinkered with this a bit, and landed toward a small revision to use presence in 4e23c1e.

Partly for micro-optimization, since the value is referenced twice and would prefer to avoid evaluating that logic twice. But moreso because the true / nil vs. true / false is less to do with some internal logic specific to javascript_include_tag, and moreso about the crossorigin attribute itself, where false would apply an empty string attribute value, which is significant since it's an HTML boolean attribute.

[zachmargolis]

this means that preload_links_header: nil will add the preload header, that seems counterintuitive to me?

[aduth]

this means that preload_links_header: nil will add the preload header, that seems counterintuitive to me?

That would be the same behavior as the default javascript_include_tag behavior [1] [2], though technically it's configurable and respects the configured default.

[zachmargolis]

shoudl we use the same presence trick?

Suggested change

	if attributes[:preload_links_header] != false
	if attributes[:preload_links_header].present?

[aduth]

I think that'd be the opposite behavior from what we expect, since we want :preload_links_header to be opt-out, not opt-in.

[aduth]

Whitespace is optional per the spec, which allows us to salvage back some of the bytesize increase these changes could incur.

link-value = "<" URI-Reference ">" *( OWS ";" OWS link-param )

https://httpwg.org/specs/rfc8288.html#header

("OWS" being defined as "optional whitespace")

[aduth]

I did some local benchmarking and pushed a few more iterations for some small optimizations. The end result is pretty nice, about 75% improvement.

$ RAILS_ENV=production rails runner benchmark.rb # production to cache AssetSources
Warming up --------------------------------------
              Before     3.005k i/100ms
               After     5.416k i/100ms
Calculating -------------------------------------
              Before     29.963k (± 2.0%) i/s -    150.250k in   5.016574s
               After     52.449k (± 7.4%) i/s -    265.384k in   5.099126s

Comparison:
               After:    52449.4 i/s
              Before:    29963.2 i/s - 1.75x  slower

(Benchmark script as HTML comment of this message)

[zachmargolis]

shoudl we use the same presence trick?

Suggested change

	if attributes[:preload_links_header] != false
	if attributes[:preload_links_header].present?