Web Worker with coep:require-corp header started from coep:credentialless isn't run
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox112 | --- | fixed |
People
(Reporter: 1benediktwerner, Assigned: sefeng)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Steps to reproduce:
First enable browser.tabs.remote.coep.credentialless
on about:config
to enable support for the cross-origin-embedder-policy: credentialless
header.
Then from an HTML page served with the cross-origin-embedder-policy: credentialless
header, start a web worker of a file that is served with cross-origin-embedder-policy: require-corp
.
Here is a minimal example setup: https://home.in.tum.de/~wernerbe/cgi-bin/firefox-credentialless-bug/
Actual results:
The web worker isn't executed at all i.e. the console.log in the worker doesn't run, the main page doesn't receive the postMessage, and about:debugging#/runtime/this-firefox doesn't list the worker.
There also is no visible error message.
Expected results:
The web worker runs. See https://home.in.tum.de/~wernerbe/cgi-bin/firefox-credentialless-bug/?credentialless for a version where the worker is also served with coep:credentialless
and runs.
Tbh I'm not really sure how this should behave but it works in Chrome. I don't really have the knowledge to judge how this works in Chrome and whether it's problematic there or whether it should work in Firefox.
The reason why this is useful is that it allows serving JS files via a CDN with consistent headers (always coep:require-corp
which is supported by all browsers that require it).
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
Yeah, this is a bug. I'll have a patch to fix this soon.
Assignee | ||
Comment 3•2 years ago
|
||
Our check a global object's embedder policy
step is not updated after
we have coep:credentialless.
Updated•2 years ago
|
Comment 7•2 years ago
|
||
bugherder |
Updated•2 years ago
|
Description
•