Closed Bug 1523706 Opened 8 months ago Closed 2 months ago

Consider strictly enforcing MIME checks for Worker scripts

Categories

(Core :: DOM: Workers, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-needed, site-compat)

Attachments

(4 files)

It would be good to figure out if we could also restrict the MIME types of worker scripts, instead of just those loaded via importScripts() (Bug 1514680).

I think this issue also still applies: https://github.com/whatwg/html/issues/3255

Component: DOM → DOM: Workers
Assignee: nobody → evilpies

Unless something is wrong with our telemetry I think we should at least try doing this.

This causes quite a lot of test failures: https://treeherder.mozilla.org/#/jobs?repo=try&revision=96da6a532b3d2b2fe1e7caea6b79a1ff9f06b29b. I do think some of those might be unrelated.

Interesting find, seems like for some reason tests in WPT use polygot HTML/JS files ... !!

For example:
workers/interfaces/WorkerGlobalScope/self.html
workers/semantics/interface-objects/003.html
workers/semantics/interface-objects/004.html
workers/interfaces/WorkerUtils/WindowTimers/003.html
workers/interfaces/WorkerUtils/WindowTimers/005.html

https://searchfox.org/mozilla-central/search?q=new+(Shared)%3FWorker..%23&case=false&regexp=true&path=

Should we change those tests or just disable them for us?

Flags: needinfo?(ckerschb)

(In reply to Tom Schuster [:evilpie] from comment #5)

Should we change those tests or just disable them for us?

From my quick check it seems those usages are not intentional by the authors of the tests and I think we should update them.

Flags: needinfo?(ckerschb)
Depends on: 1557736

I am waiting for review to update some of the WPT tests, but at least a few need to be disabled, because they just don't work when blocking other MIME types.

Keywords: leave-open
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6782caf07c7d
Use JavaScript mime type for two worker tests. r=ckerschb
Attachment #9067976 - Attachment description: Bug 1523706 - Consider strictly enforcing MIME checks for Worker scripts → Bug 1523706 - Consider strictly enforcing MIME checks for Worker scripts. r?ckerschb

Depends on D37911

I am going to send an Intent to Ship for this, considering that Chrome seems disinclined to implement this.

Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/8fcae0a0d731
Consider strictly enforcing MIME checks for Worker scripts. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/122642699fc5
Disable WPT Worker tests that require a non JavaScript mime. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/09edf04895b6
Extend devtools test. r=ckerschb
Status: NEW → RESOLVED
Closed: 2 months ago
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Blocks: 1569122
Blocks: 1569123
You need to log in before you can comment on or make changes to this bug.