Consider strictly enforcing MIME checks for `importScripts()`.
Categories
(Core :: DOM: Workers, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox67 | --- | fixed |
People
(Reporter: mkwst, Assigned: evilpie)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(1 file)
After discussion in https://github.com/whatwg/html/issues/3255 and https://github.com/whatwg/html/pull/4001, Chrome is shipping strict MIME type checks on `importScripts()` in Chrome 71 (https://chromium-review.googlesource.com/c/chromium/src/+/1206270). Intent to Remove thread with discussion and data at https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ. It would be lovely if y'all followed suit!
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
I think we can easily implement this in EnsureMIMEOfScript, we already detect importScript for telemetry purposes anyway.
Interestingly enough in our data we get more wrong importScript loads than Worker(). I am not sure I trust that data.
Load type | Count |
---|---|
serviceworker_load | 346473 |
worker_load | 8691 |
importScript_load | 66207 |
script_load | 73557538 |
Source: https://mzl.la/2M8gXWO
Assignee | ||
Comment 2•4 years ago
|
||
Assignee | ||
Comment 3•4 years ago
|
||
Still needs a test, I think I can use the devtools for this, like bug 1510223.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/d085f7afb20a Strictly enforce the MIME type of scripts loaded by importScripts(). r=dveditz
Comment 5•4 years ago
|
||
Backed out changeset d085f7afb20a (Bug 1514680) for mochitest failures at test_importScripts_3rdparty.html
Backout: https://hg.mozilla.org/integration/autoland/rev/015cdc788e05a9dafc0abe737c9d16153f607b4c
Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception&revision=d085f7afb20a6718b42e4735c269a1b81f2c0065&selectedJob=224787263
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=224787263&repo=autoland&lineNumber=3082
Updated•4 years ago
|
Comment 6•4 years ago
|
||
There are also wpt10 failures at:
/workers/importscripts_mime.any.sharedworker.html | importScripts() requires scripty MIME types: text/html is blocked. - expected FAIL
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=224789502&repo=autoland&lineNumber=67152
Assignee | ||
Comment 7•4 years ago
|
||
Sorry, I forgot to push this patch to try. This is a new try push with the test failures fixed: https://treeherder.mozilla.org/#/jobs?repo=try&revision=998efab278f2d93655b31d14327ab32c02ed4fee.
Updated the patch on phabricator.
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0791e1a5bdaa Strictly enforce the MIME type of scripts loaded by importScripts(). r=dveditz
Comment 9•4 years ago
|
||
bugherder |
Comment 10•4 years ago
|
||
Note to MDN writers:
I've added a note about this to the Fx67 rel notes:
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/67#WorkersService_workers
In terms of other work, probably just needs an entry adding to BCD, and maybe a more detailed note about it on the importScripts() page.
Comment 11•4 years ago
|
||
I've submitted a PR to add a data point about this to our compat data repo: https://github.com/mdn/browser-compat-data/pull/4090
I checked https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope/importScripts, and there is an exception listed that is thrown when the mime type of the scripts are not correct. It looks like this works in terms of providing detail about it. Does that sound correct?
Comment 12•4 years ago
•
|
||
Posted site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2019/worker-script-served-with-wrong-mime-type-will-be-blocked/
Description
•