Drop support for navigating to responses whose MIME type is multipart/x-mixed-replace
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: annevk, Unassigned)
References
Details
(Keywords: leave-open, Whiteboard: btpp-backlog)
Attachments
(1 obsolete file)
It's not supported in Edge, support in Safari seems half-baked, and it has been removed in Chrome long ago: https://bugs.chromium.org/p/chromium/issues/detail?id=249132. https://hixie.ch/tests/evil/page-loading/multipart/001.cgi can be used to test, e.g., with http://damowmow.com/playground/demos/multipart/001.html http://damowmow.com/playground/demos/multipart/002.html as URLs in the textarea. I also plan on removing this from the HTML Standard since it seems unlikely Chrome and Edge will ever pick this up again.
Comment 1•8 years ago
|
||
This is going to break websites, afaik, because right now some sites (e.g. Bugzilla!) UA-sniff and deliver mixed-replace content to Gecko... This feature was also used on at least some government websites in the US last I checked, and removing it would make it impossible to access those sites in Firefox. That was 5-6 years ago, though, so maybe they stopped using it since then. As far as Edge goes.... does IE support this? Because if so, I expect they're just telling people who need to use said government websites to use IE or Firefox right now.
Reporter | ||
Comment 2•8 years ago
|
||
IE8 and IE11 break in the same way as Edge does (rendering the whole response as HTML, including the boundaries and such). Doesn't look like they ever supported this.
Reporter | ||
Comment 3•8 years ago
|
||
https://github.com/whatwg/html/pull/1353 is the proposed change to the HTML Standard by the way.
Comment 5•7 years ago
|
||
Can we have telemetry for this in a way that checks the URL to exclude ones that look like Bugzilla query.cgi to get an idea of how big the problem is outside bugzilla installations (which one would hope to undergo some security patch maintenance)?
Updated•2 years ago
|
Comment 7•5 months ago
|
||
Ideally, I would like to remove this for all types except images, but there
is some uncertainty wrt to other media load types and making small steps is
easier than huge strides. Especially when it's risking compatibility.
Updated•5 months ago
|
Updated•5 months ago
|
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/68ae10a38cdf restrict multipart/x-mixed-replace to non-document loads r=necko-reviewers,valentin,kershaw
Comment 9•5 months ago
|
||
Release Note Request (optional, but appreciated)
[Why is this notable]: We're limiting support for the obscure HTTP Content-Type of multipart/x-mixed-replace
due to some security concerns. Other browsers only support this for images, so this should mostly be fine. However, breakage at the HTTP level might be subtle and elevating this to release notes may help people troubleshoot and report back more easily.
[Affects Firefox for Android]: Same. Also removed.
[Suggested wording]: Firefox limits support for the HTTP Content-Type multipart/x-mixed-replace
to align with other browsers. Users or enterprises that require ongoing support may change the network.multipart-mixed-replace.enabled_for_document
pref to true
.
[Links (documentation, blog post, etc)]:
Comment 11•5 months ago
|
||
Backed out for causing reftest failures on webcam-simulacrum.mjpg
Comment 12•5 months ago
|
||
Ah, a failing reftest. And for some reasons docshell/test/mochitest/test_bug1747033.html
fails in test-verification mode. Fixed the former, gotta further investigate the latter. Thanks for backing out!
Updated•5 months ago
|
Comment 13•5 months ago
|
||
Going for another try run https://treeherder.mozilla.org/jobs?repo=try&revision=819eccb75896827365406748baa5d306462a95c8
Comment 14•5 months ago
|
||
OK, the change turns test_bug1747033.html into a failure, but only in test-verification mode.
This is interesting because I'm only adding a pref with pushPrefEnv
which should be disabled after the test. Effectively disabled/enabled back and forth for every test restart. Not sure what's going on here.
Comment 15•5 months ago
|
||
Often tests will already be failing with TV mode and any change (whitespace) will make them fail in TV (because you need to make some change for them to get run by TV).
Comment 16•4 months ago
|
||
I suppose the patch here may not be able to land as written. We will still need to support x-mixed-replace
on top-level navigations to ImageDocument
s. The ContentPolicyType is not a great deciding factor to use.
I suppose we may have to handle x-mixed-replace somehow in Document / ImageDocument loading instead?
Comment 17•4 months ago
|
||
Perhaps interpret all mixed replace as images? If it's not an image it'll just display an error suggesting it's an invalid image. Not great failure mode though.
Comment 18•3 months ago
|
||
Not sure I can finish this, unfortunately.
Updated•2 months ago
|
Description
•