1514680 - Consider strictly enforcing MIME checks for `importScripts()`.

Status: RESOLVED FIXED

(Core :: DOM: Workers, enhancement, P3)

Description

[Mike West]

After discussion in https://github.com/whatwg/html/issues/3255 and https://github.com/whatwg/html/pull/4001, Chrome is shipping strict MIME type checks on `importScripts()` in Chrome 71 (https://chromium-review.googlesource.com/c/chromium/src/+/1206270). Intent to Remove thread with discussion and data at https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ.

It would be lovely if y'all followed suit!

Comment 1

[Tom S [:evilpie]]

I think we can easily implement this in EnsureMIMEOfScript, we already detect importScript for telemetry purposes anyway.
Interestingly enough in our data we get more wrong importScript loads than Worker(). I am not sure I trust that data.

Load type	Count
serviceworker_load	346473
worker_load	8691
importScript_load	66207
script_load	73557538

Source: https://mzl.la/2M8gXWO

Comment 2

[Tom S [:evilpie]]

Attachment: Bug 1514680 - Strictly enforce the MIME type of scripts loaded by importScripts(). r?ckerschb,dveditz!

Comment 3

[Tom S [:evilpie]]

Still needs a test, I think I can use the devtools for this, like bug 1510223.

Comment 4

[Pulsebot]

Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/d085f7afb20a
Strictly enforce the MIME type of scripts loaded by importScripts(). r=dveditz

Comment 5

[Cristian Brindusan [:cbrindusan]]

Backed out changeset d085f7afb20a (Bug 1514680) for mochitest failures at test_importScripts_3rdparty.html

Backout: https://hg.mozilla.org/integration/autoland/rev/015cdc788e05a9dafc0abe737c9d16153f607b4c

Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception&revision=d085f7afb20a6718b42e4735c269a1b81f2c0065&selectedJob=224787263

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=224787263&repo=autoland&lineNumber=3082

Comment 6

[Cristian Brindusan [:cbrindusan]]

There are also wpt10 failures at:
/workers/importscripts_mime.any.sharedworker.html | importScripts() requires scripty MIME types: text/html is blocked. - expected FAIL
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=224789502&repo=autoland&lineNumber=67152

Comment 7

[Tom S [:evilpie]]

Sorry, I forgot to push this patch to try. This is a new try push with the test failures fixed: https://treeherder.mozilla.org/#/jobs?repo=try&revision=998efab278f2d93655b31d14327ab32c02ed4fee.

Updated the patch on phabricator.

Comment 8

[Pulsebot]

Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/0791e1a5bdaa
Strictly enforce the MIME type of scripts loaded by importScripts(). r=dveditz

Comment 9

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/0791e1a5bdaa

Comment 10

[Chris Mills [:cmills]]

Note to MDN writers:

I've added a note about this to the Fx67 rel notes:
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/67#WorkersService_workers

In terms of other work, probably just needs an entry adding to BCD, and maybe a more detailed note about it on the importScripts() page.

Comment 11

[Chris Mills [:cmills]]

I've submitted a PR to add a data point about this to our compat data repo: https://github.com/mdn/browser-compat-data/pull/4090

I checked https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope/importScripts, and there is an exception listed that is thrown when the mime type of the scripts are not correct. It looks like this works in terms of providing detail about it. Does that sound correct?

Comment 12

[Kohei Yoshino [:kohei]]

Posted site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2019/worker-script-served-with-wrong-mime-type-will-be-blocked/