Consider strictly enforcing MIME checks for `importScripts()`.

RESOLVED FIXED in Firefox 67

Status

()

enhancement
P3
normal
RESOLVED FIXED
7 months ago
2 months ago

People

(Reporter: mkwst, Assigned: evilpie)

Tracking

(Blocks 2 bugs, {dev-doc-complete, site-compat})

unspecified
mozilla67
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 fixed)

Details

Attachments

(1 attachment)

After discussion in https://github.com/whatwg/html/issues/3255 and https://github.com/whatwg/html/pull/4001, Chrome is shipping strict MIME type checks on `importScripts()` in Chrome 71 (https://chromium-review.googlesource.com/c/chromium/src/+/1206270). Intent to Remove thread with discussion and data at https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ.

It would be lovely if y'all followed suit!
Component: Security → DOM
Blocks: 1333995
Priority: -- → P3
Assignee: nobody → evilpies

I think we can easily implement this in EnsureMIMEOfScript, we already detect importScript for telemetry purposes anyway.
Interestingly enough in our data we get more wrong importScript loads than Worker(). I am not sure I trust that data.

Load type Count
serviceworker_load 346473
worker_load 8691
importScript_load 66207
script_load 73557538

Source: https://mzl.la/2M8gXWO

Still needs a test, I think I can use the devtools for this, like bug 1510223.

Attachment #9037003 - Attachment description: Bug 1514680 - Strictly enforce the MIME type of scripts loaded by importScripts(). → Bug 1514680 - Strictly enforce the MIME type of scripts loaded by importScripts(). r?ckerschb!
Attachment #9037003 - Attachment description: Bug 1514680 - Strictly enforce the MIME type of scripts loaded by importScripts(). r?ckerschb! → Bug 1514680 - Strictly enforce the MIME type of scripts loaded by importScripts(). r?ckerschb r?dveditz!
Attachment #9037003 - Attachment description: Bug 1514680 - Strictly enforce the MIME type of scripts loaded by importScripts(). r?ckerschb r?dveditz! → Bug 1514680 - Strictly enforce the MIME type of scripts loaded by importScripts(). r?ckerschb,dveditz!
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/d085f7afb20a
Strictly enforce the MIME type of scripts loaded by importScripts(). r=dveditz
Blocks: 1523706
Component: DOM → DOM: Workers

There are also wpt10 failures at:
/workers/importscripts_mime.any.sharedworker.html | importScripts() requires scripty MIME types: text/html is blocked. - expected FAIL
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=224789502&repo=autoland&lineNumber=67152

Sorry, I forgot to push this patch to try. This is a new try push with the test failures fixed: https://treeherder.mozilla.org/#/jobs?repo=try&revision=998efab278f2d93655b31d14327ab32c02ed4fee.

Updated the patch on phabricator.

Flags: needinfo?(evilpies)
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/0791e1a5bdaa
Strictly enforce the MIME type of scripts loaded by importScripts(). r=dveditz
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Note to MDN writers:

I've added a note about this to the Fx67 rel notes:
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/67#WorkersService_workers

In terms of other work, probably just needs an entry adding to BCD, and maybe a more detailed note about it on the importScripts() page.

I've submitted a PR to add a data point about this to our compat data repo: https://github.com/mdn/browser-compat-data/pull/4090

I checked https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope/importScripts, and there is an exception listed that is thrown when the mime type of the scripts are not correct. It looks like this works in terms of providing detail about it. Does that sound correct?

You need to log in before you can comment on or make changes to this bug.