Consider strictly enforcing MIME checks for `importScripts()`.
Categories
(Core :: DOM: Workers, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox67 | --- | fixed |
People
(Reporter: mkwst, Assigned: evilpies)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(1 file)
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
I think we can easily implement this in EnsureMIMEOfScript, we already detect importScript for telemetry purposes anyway.
Interestingly enough in our data we get more wrong importScript loads than Worker(). I am not sure I trust that data.
Load type | Count |
---|---|
serviceworker_load | 346473 |
worker_load | 8691 |
importScript_load | 66207 |
script_load | 73557538 |
Source: https://mzl.la/2M8gXWO
Still needs a test, I think I can use the devtools for this, like bug 1510223.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 5•6 years ago
|
||
Backed out changeset d085f7afb20a (Bug 1514680) for mochitest failures at test_importScripts_3rdparty.html
Backout: https://hg.mozilla.org/integration/autoland/rev/015cdc788e05a9dafc0abe737c9d16153f607b4c
Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception&revision=d085f7afb20a6718b42e4735c269a1b81f2c0065&selectedJob=224787263
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=224787263&repo=autoland&lineNumber=3082
Updated•6 years ago
|
Comment 6•6 years ago
|
||
There are also wpt10 failures at:
/workers/importscripts_mime.any.sharedworker.html | importScripts() requires scripty MIME types: text/html is blocked. - expected FAIL
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=224789502&repo=autoland&lineNumber=67152
Sorry, I forgot to push this patch to try. This is a new try push with the test failures fixed: https://treeherder.mozilla.org/#/jobs?repo=try&revision=998efab278f2d93655b31d14327ab32c02ed4fee.
Updated the patch on phabricator.
Comment 9•6 years ago
|
||
bugherder |
Comment 10•6 years ago
|
||
Note to MDN writers:
I've added a note about this to the Fx67 rel notes:
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/67#WorkersService_workers
In terms of other work, probably just needs an entry adding to BCD, and maybe a more detailed note about it on the importScripts() page.
Comment 11•6 years ago
|
||
I've submitted a PR to add a data point about this to our compat data repo: https://github.com/mdn/browser-compat-data/pull/4090
I checked https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope/importScripts, and there is an exception listed that is thrown when the mime type of the scripts are not correct. It looks like this works in terms of providing detail about it. Does that sound correct?
Comment 12•6 years ago
•
|
||
Posted site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2019/worker-script-served-with-wrong-mime-type-will-be-blocked/
Description
•