Hardening: Precedence of the SourceMap HTTP header over the sourceMappingURL comment #27
Comments
|
I would also favor that the header wins over the contents because otherwise the header is quite useless. That said I am not sure if actually having that header is a good idea. We don’t observe it much in practice and I wonder if there is appetite in deprecating that header. |
|
It seems that the header usage is around 0.1%. Not sure if that is low enough to warrant deprecation. |
|
I would not remove support but discourage the use. The header makes some sense in a world where you don’t need the contents of the minified JavaScript but for practice reasons the minified file is very much required so you can’t really optimize much anyways. The header however is a potential interoperability hazard and it also makes debugging what’s going on ever so slightly more complex. |
|
If the browsers already behave one way, why are we giving precedence to the header? Besides the inline comment being considerably easier to work with, it's also closer to the actual content (being in the content). |
|
@jridgewell the spec never mentioned it one way or another which is why we now have the situation that it's inconsistent. Safari and Firefox prefer the header, Chrome prefers the comment, unsure what Edge does but I assume it matches Chrome. We (Sentry) also prefer the header over the embedded contents. As it stand you cannot rely on the header overriding the content (which is the primary usecase I see for it) because Chrome does it the other way around. I have definitely seen uses of the header internationally overriding the contents. For instance Sentry supports source map fetching and it will issue a specific header for this. Over the years there has been at least one user which has injected a source map header redirecting all requests to a separate HTTP server, only when it detected us scraping via the source map header. In that case we would not have found the source map if we went for the comment. |
|
Here's a testing setup that can be used to validate the spec compliance: https://github.com/kamilogorek/sourcemaps-headers
@mitsuhiko based on my today's tests:
|
Currently, the spec does not say what takes precedence if the source contains the
//# sourceMappingURL=xcomment, but the header specifies a different source map. The spec should specify that the header overrides that sourceMappingURL comment, and the browsers should be fixed accordingly (see the relevant Chromium bug).The text was updated successfully, but these errors were encountered: