Re-enable strict MIME type checking for Worker/SharedWorker
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox81 | --- | fixed |
People
(Reporter: evilpies, Assigned: evilpies)
References
(Blocks 1 open bug, )
Details
(Keywords: dev-doc-needed, site-compat, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Comment 1•6 years ago
|
||
After Bug 1569122 'Limit Worker/SharedWorker MIME type blocking to Beta/Nightly' we should keep this bug to re-enable strict mime type checking at some point.
We want to coordinate re-enabling for Release/Beta with Chrome and get the MIME type restrictions for Workers into the specification: https://github.com/whatwg/html/issues/3255.
I think we should just do this. We had this on early-beta and nightly for half a year now. Maybe at some point the Chrome people will respond.
Posted site compatibility note for web developers.
|
||
Comment 7•5 years ago
|
||
| bugherder | ||
Updated the site compatibility note.
Bug 1623916 reverted this change again, so we need to re-enable the Worker MIME type blocking at some point in the future.
|
Assignee | |
Comment 10•5 years ago
•
|
||
It seems like some of the other changes are going to ship in 80, should we try this again?
Telemetry still looks very good worker_load 2.22k (0%).
|
|
||
Comment 11•5 years ago
|
||
(In reply to Tom Schuster [:evilpie] from comment #10)
It seems like some of the other changes are going to ship in 80, should we try this again?
Telemetry still looks very goodworker_load 2.22k (0%).
I would like that, yes, but let's check with other folks to make sure we are all on the same page.
Steven, given the discussion around Bug 1623916 a few weeks back on slack. Are you fine with us re-enabling or should we hold back?
|
||
Comment 12•5 years ago
|
||
I fine with re-enabling now. Overholt do you have any issues with this (you were also part of the conversation).
|
||
Comment 13•5 years ago
|
||
I've asked Mike to help make the decision here.
|
||
Comment 14•5 years ago
|
||
If we have been warning devs of this change via a console warning for at least three releases, let's go ahead and land this change.
If not, please file a blocking bug to land a console warning and then we can land this change after three additional releases.
|
|
Assignee | |
Comment 15•5 years ago
|
||
We have had a general warning for wrong script MIME types since the beginning of 2019 (bug 1510223) on all channels. We have actively been blocking Worker loads with wrong MIME type on early-beta and nightly since about a year (bug 1569122).
|
|
Assignee | |
Comment 16•5 years ago
|
||
|
||
Comment 17•5 years ago
|
||
|
||
Comment 18•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
|
||
Comment 19•4 years ago
|
||
I'm updating the MDN docs for this - release note here.
The only thing I think might be incorrect in the docs is the note on Worker/SharedWorker:
"A NetworkError is raised if the MIME type of the worker script is incorrect. It should always be text/javascript."
I THINK the change is that this should include application/javascript as an option, and also note that this is only enforced from FireFox 81. Is that correct?
|
|
||
Comment 20•4 years ago
|
||
PS. The extended discussion seemed to indicate that this would be done in sync with Chrome browser - did that happen, and if so do you happen to know if it would affect other "Chromiums" - Opera, Edge etc? This is for the browser compat data.
|
|
||
Comment 21•4 years ago
|
||
PPS Will this affect Firefox for Android? There doesn't seem to be any reason why not, other than the original browser compat data says it was not, and this change does not indicate either way - ie see https://wiki.developer.mozilla.org/en-US/docs/Web/API/Worker/Worker#Browser_compatibility
|
|
Assignee | |
Comment 22•4 years ago
|
||
I THINK the change is that this should include application/javascript as an option, and also note that this is only enforced from FireFox 81. Is that correct?
While application/javascript (and other specified JS MIME types) will work, the HTML standard says that only text/javascript should be used: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#JavaScript_types https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
PS. The extended discussion seemed to indicate that this would be done in sync with Chrome browser - did that happen, and if so do you happen to know if it would affect other "Chromiums" - Opera, Edge etc? This is for the browser compat data.
I think Chrome/Blink implemented this change, considering that they seem to to pass this test: https://wpt.fyi/results/workers/Worker_script_mimetype.htm. They however still fail the test in Chrome 85 for me, so maybe they haven't made this change in stable yet. I don't know
PPS Will this affect Firefox for Android?
It should, there is nothing Desktop specific about this change.
Description
•