Closed Bug 1814491 Opened 2 years ago Closed 2 years ago

Web Worker with coep:require-corp header started from coep:credentialless isn't run

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox112 --- fixed

People

(Reporter: 1benediktwerner, Assigned: sefeng)

Details

Attachments

(1 file)

Bug 1814491 - Fix a bug where worker with require_corp was not able to be created if owner has credentialless. r=#necko
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36

Steps to reproduce:

First enable browser.tabs.remote.coep.credentialless on about:config to enable support for the cross-origin-embedder-policy: credentialless header.

Then from an HTML page served with the cross-origin-embedder-policy: credentialless header, start a web worker of a file that is served with cross-origin-embedder-policy: require-corp.

Here is a minimal example setup: https://home.in.tum.de/~wernerbe/cgi-bin/firefox-credentialless-bug/

Actual results:

The web worker isn't executed at all i.e. the console.log in the worker doesn't run, the main page doesn't receive the postMessage, and about:debugging#/runtime/this-firefox doesn't list the worker.

There also is no visible error message.

Expected results:

The web worker runs. See https://home.in.tum.de/~wernerbe/cgi-bin/firefox-credentialless-bug/?credentialless for a version where the worker is also served with coep:credentialless and runs.

Tbh I'm not really sure how this should behave but it works in Chrome. I don't really have the knowledge to judge how this works in Chrome and whether it's problematic there or whether it should work in Firefox.

The reason why this is useful is that it allows serving JS files via a CDN with consistent headers (always coep:require-corp which is supported by all browsers that require it).

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Flags: needinfo?(sefeng)

Yeah, this is a bug. I'll have a patch to fix this soon.

Our check a global object's embedder policy step is not updated after
we have coep:credentialless.

Assignee: nobody → sefeng
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

A patch is made.

Flags: needinfo?(sefeng)
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aed80de0d414 Fix a bug where worker with require_corp was not able to be created if owner has credentialless. r=necko-reviewers,valentin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38676 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/aed80de0d414

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
Upstream PR merged by moz-wptsync-bot
QA Whiteboard: [qa-112b-p2]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: