Closed Bug 1569123 Opened 1 year ago Closed 4 months ago

Re-enable strict MIME type checking for Worker/SharedWorker

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
81 Branch
Tracking Status
firefox81 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

(Blocks 2 open bugs, )

Details

(Keywords: dev-doc-needed, site-compat, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

No description provided.
Component: DOM: Workers → DOM: Security
Whiteboard: [domsecurity-backlog1]

After Bug 1569122 'Limit Worker/SharedWorker MIME type blocking to Beta/Nightly' we should keep this bug to re-enable strict mime type checking at some point.

Summary: Strictly enforce MIME type for Worker/SharedWorker by default → Re-enable strict MIME type checking for Worker/SharedWorker
Keywords: site-compat
Depends on: 1584964

We want to coordinate re-enabling for Release/Beta with Chrome and get the MIME type restrictions for Workers into the specification: https://github.com/whatwg/html/issues/3255.

Assignee: nobody → evilpies

I think we should just do this. We had this on early-beta and nightly for half a year now. Maybe at some point the Chrome people will respond.

Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/72e14ab482cf
Re-enable strict MIME type checking for Worker/SharedWorker everywhere. r=ckerschb

Posted site compatibility note for web developers.

Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Regressions: 1616237
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Depends on: 1623916

Bug 1623916 reverted this change again, so we need to re-enable the Worker MIME type blocking at some point in the future.

Regressions: 1624113
No longer regressions: 1624113
Blocks: COVID-19

It seems like some of the other changes are going to ship in 80, should we try this again?
Telemetry still looks very good worker_load 2.22k (0%).

Flags: needinfo?(ckerschb)

(In reply to Tom Schuster [:evilpie] from comment #10)

It seems like some of the other changes are going to ship in 80, should we try this again?
Telemetry still looks very good worker_load 2.22k (0%).

I would like that, yes, but let's check with other folks to make sure we are all on the same page.

Steven, given the discussion around Bug 1623916 a few weeks back on slack. Are you fine with us re-enabling or should we hold back?

Flags: needinfo?(ckerschb) → needinfo?(sdetar)

I fine with re-enabling now. Overholt do you have any issues with this (you were also part of the conversation).

Flags: needinfo?(sdetar) → needinfo?(overholt)

I've asked Mike to help make the decision here.

Flags: needinfo?(overholt) → needinfo?(mconca)

If we have been warning devs of this change via a console warning for at least three releases, let's go ahead and land this change.

If not, please file a blocking bug to land a console warning and then we can land this change after three additional releases.

Flags: needinfo?(mconca) → needinfo?(evilpies)

We have had a general warning for wrong script MIME types since the beginning of 2019 (bug 1510223) on all channels. We have actively been blocking Worker loads with wrong MIME type on early-beta and nightly since about a year (bug 1569122).

Flags: needinfo?(evilpies)
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/0dd7e71184a6
Re-enable strict MIME type checking for Worker/SharedWorker everywhere. r=ckerschb
Target Milestone: mozilla75 → 81 Branch
Status: REOPENED → RESOLVED
Closed: 10 months ago4 months ago
Resolution: --- → FIXED

I'm updating the MDN docs for this - release note here.

The only thing I think might be incorrect in the docs is the note on Worker/SharedWorker:

"A NetworkError is raised if the MIME type of the worker script is incorrect. It should always be text/javascript."

I THINK the change is that this should include application/javascript as an option, and also note that this is only enforced from FireFox 81. Is that correct?

Flags: needinfo?(evilpies)

PS. The extended discussion seemed to indicate that this would be done in sync with Chrome browser - did that happen, and if so do you happen to know if it would affect other "Chromiums" - Opera, Edge etc? This is for the browser compat data.

PPS Will this affect Firefox for Android? There doesn't seem to be any reason why not, other than the original browser compat data says it was not, and this change does not indicate either way - ie see https://wiki.developer.mozilla.org/en-US/docs/Web/API/Worker/Worker#Browser_compatibility

I THINK the change is that this should include application/javascript as an option, and also note that this is only enforced from FireFox 81. Is that correct?

While application/javascript (and other specified JS MIME types) will work, the HTML standard says that only text/javascript should be used: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#JavaScript_types https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages

PS. The extended discussion seemed to indicate that this would be done in sync with Chrome browser - did that happen, and if so do you happen to know if it would affect other "Chromiums" - Opera, Edge etc? This is for the browser compat data.

I think Chrome/Blink implemented this change, considering that they seem to to pass this test: https://wpt.fyi/results/workers/Worker_script_mimetype.htm. They however still fail the test in Chrome 85 for me, so maybe they haven't made this change in stable yet. I don't know

PPS Will this affect Firefox for Android?

It should, there is nothing Desktop specific about this change.

Flags: needinfo?(evilpies)
You need to log in before you can comment on or make changes to this bug.