Open Bug 1940382 Opened 1 month ago Updated 17 days ago

Fix WPT failures for JSON modules in /preload/

Categories

(Core :: DOM: Core & HTML, task)

task

Tracking

()

People

(Reporter: allstars.chh, Assigned: allstars.chh)

References

(Blocks 1 open bug)

Details

Attachments

(4 files)

This is a follow-up for bug 1858078, we split the preload part into this bug. (See https://bugzilla.mozilla.org/show_bug.cgi?id=1858078#c14)
The following WPT for JSON modules are related to preload:
preload-csp.sub.html.ini
reflected-as-value.html.ini
preload-type-match.html.ini

There is also one another
modulepreload-as.html.ini,
but maybe will be fixed in a separate bug or bug 1933242

https://fetch.spec.whatwg.org/#request-destination-script-like
Currently "json" is not treated as script-like destination.

Add "json" to the IsScriptLikeOrInvalid function to ensure it returns false for
"json".

In the WPT PR 41665 1,
preload-csp.sub.html was added connect-src:'none' in the CSP 2,
the reason is that the json modules will use 'connect-src' as the CSP
directive, see the destination "json" in 3.

However, this test calls "hasArrivedAtServer" to verify the result 4,
which uses 'fetch()' API. 5

And according the CSP spec, the directive for fetch() is "connect-src" (See
the empty string in 3)

Hence the change introduced in 2 causes the call to fetch() will
violate the CSP restriction, and causes the test failed on all browser
vendors. 6

Further check the history on the wpt.fyi in 6, we can find out all
browsers started to fail since Oct.31.2023, which is also the date the
PR 41665 1 is merged into master 7.

Now back to the test itself, since preloading json modules is not
allowed in previous patch D234890 8 and whatwg PR 10212 9, we can
just simply remove the connect-src: 'none' CSP directive.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: