Fix WPT failures for JSON modules in /preload/
Categories
(Core :: DOM: Core & HTML, task)
Tracking
()
People
(Reporter: allstars.chh, Assigned: allstars.chh)
References
(Blocks 1 open bug)
Details
Attachments
(4 files)
This is a follow-up for bug 1858078, we split the preload part into this bug. (See https://bugzilla.mozilla.org/show_bug.cgi?id=1858078#c14)
The following WPT for JSON modules are related to preload:
preload-csp.sub.html.ini
reflected-as-value.html.ini
preload-type-match.html.ini
There is also one another
modulepreload-as.html.ini,
but maybe will be fixed in a separate bug or bug 1933242
Assignee | ||
Comment 1•20 days ago
|
||
https://fetch.spec.whatwg.org/#request-destination-script-like
Currently "json" is not treated as script-like destination.
Add "json" to the IsScriptLikeOrInvalid function to ensure it returns false for
"json".
Assignee | ||
Comment 2•20 days ago
|
||
-
https://html.spec.whatwg.org/#attr-link-as
The as attribute specifies the potential destination for a preload request for the resource given by the href attribute. -
https://fetch.spec.whatwg.org/#concept-potential-destination
A potential destination is "fetch" or a destination which is not the empty string. -
https://fetch.spec.whatwg.org/#concept-request-destination
A request has an associated destination, which is the ..., "json", ...
Assignee | ||
Comment 3•20 days ago
|
||
Implement https://html.spec.whatwg.org/#translate-a-preload-destination
And add mime-type check for JSON files.
Assignee | ||
Comment 4•17 days ago
|
||
In the WPT PR 41665 1,
preload-csp.sub.html was added connect-src:'none' in the CSP 2,
the reason is that the json modules will use 'connect-src' as the CSP
directive, see the destination "json" in 3.
However, this test calls "hasArrivedAtServer" to verify the result 4,
which uses 'fetch()' API. 5
And according the CSP spec, the directive for fetch() is "connect-src" (See
the empty string in 3)
Hence the change introduced in 2 causes the call to fetch() will
violate the CSP restriction, and causes the test failed on all browser
vendors. 6
Further check the history on the wpt.fyi in 6, we can find out all
browsers started to fail since Oct.31.2023, which is also the date the
PR 41665 1 is merged into master 7.
Now back to the test itself, since preloading json modules is not
allowed in previous patch D234890 8 and whatwg PR 10212 9, we can
just simply remove the connect-src: 'none' CSP directive.
Description
•