Compat: Should the parser execute scripts created in another document #2137
Comments
|
The normative part is
https://html.spec.whatwg.org/multipage/scripting.html#prepare-a-script and
https://html.spec.whatwg.org/multipage/scripting.html#execute-the-script-block |
|
Checking This changed in: |
zcorpan
added
security/privacy
|
I think https://bugzilla.mozilla.org/show_bug.cgi?id=592366 summarizes the issue well enough, no? It's possible to enable this behavior, but it leads to all sorts of complexity in the interaction of script elements and the parser, which is already quite complex. Absent an actual web compat need, I don't think we should be introducing this complexity into the spec and into implementations. Of course @jakearchibald just tried his hardest to introduce actual web compat need. :( |
|
Meh, I'm proposing it as an alternative to |
|
Well, except for the part where you said it executes scripts. ;) Anyway, for this particular case the real question is whether the non-Gecko browsers are willing to align with the spec. If not, I would like to see a concrete spec proposal that describes what their actual behavior is, assuming they actually have the same behavior. |
|
And unrelatedly, we should in fact just have some sort of streaming-parse-into-an-existing-document API that doesn't involve hacks. Is there an existing issue filed on that? |
|
I know it's something @domenic has had bouncing around his head. I'm hoping this iframe hack shows it could be easier than we initially thought. I'd love to be able to do: const div = document.createElement('div');
document.body.appendChild(div);
const response = await fetch(url);
await response.body.pipeTo(div.writable);…or something. |
|
Is just removing that line enough to deal with the issues Henri raised? As a simple example, has someone carefully stepped through the resulting logic and ensured that the parser being blocked and unblocked ends up being the same parser? |
|
And, importantly, has someone audited every use of "node document" around the |
|
If the script should be executed then this thread is reopened: https://lists.w3.org/Archives/Public/public-whatwg-archive/2010Sep/0030.html |
|
Ah, I had forgotten about that one. It's been a while. I strongly urge everyone in this discussion to read that entire thread, which describes the incompatibilities in behavior at the time, the crashes this behavior caused in WebKit at the time, and the lack of clarity around interactions with CSP and whatnot.... Then please come back with an actual concrete proposal and tests that show what browsers actually do in the various interesting edge cases. |
|
I think we should keep the spec as not executing scripts that have moved between docs during the parse. As the earlier-referenced W3C and Mozilla Bugzilla entries show, the spec text was arrived at as a result of implementor feedback resulting from first trying to do things the way that allowed the execution of moved scripts. |
|
Note that Edge allows less than Chrome (and I assume Safari) here; in Jake's reduced test case, it only logs "Inline script", and not "Inline script" + "External script" as Chrome does. I'm going to write tests against this behavior and hopefully Chrome can conform with the current spec as part of also fixing #2673. |
This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec.
This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec.
This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec.
This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec.
This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec.
This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec.
This causes scripts that move between documents between the preparation and execution phases to not execute, aligning with most browsers. Closes #2469. This does not address #2137, which is about scripts moving between documents between the parsing and preparation, or parsing and execution phases. Tests: web-platform-tests/wpt#19632
This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <d@domenic.me>
|
I think we're in a better position to tackle this issue now, as:
In particular there are two pieces of the current spec that are signposted as "under debate":
@hiroshige-g, would you be able to extend your test generator to see whether browsers implement these checks or not? That seems like the first step. |
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <d@domenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <d@domenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <d@domenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <d@domenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <ddomenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632 UltraBlame original commit: 1dec2d9d8ecb6c3d48e595c3fe53167f365dd7a9
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <ddomenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632 UltraBlame original commit: fdfdeaafaa3ea6cd8883bc904cd1fdab533b22e9
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <ddomenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632 UltraBlame original commit: 1dec2d9d8ecb6c3d48e595c3fe53167f365dd7a9
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <ddomenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632 UltraBlame original commit: fdfdeaafaa3ea6cd8883bc904cd1fdab533b22e9
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <ddomenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632 UltraBlame original commit: 1dec2d9d8ecb6c3d48e595c3fe53167f365dd7a9
Automatic update from web-platform-tests Scripts moved between documents (#19632) This follows the changes in whatwg/html#2673, but also tests the issue at whatwg/html#2137 in favor of the current spec. Co-Authored-By: Domenic Denicola <ddomenic.me> -- wpt-commits: 299dd665683c2c5a4896bfb7727d8666aa6bba89 wpt-pr: 19632 UltraBlame original commit: fdfdeaafaa3ea6cd8883bc904cd1fdab533b22e9
Doesn't the test generator already support testing the points scenarios you raised @domenic?
|
|
I think you're right, @domfarolino! Thanks for looking into it.
Safari too, right? |
That's correct, not sure why I thought otherwise. |
This PR adds empty-src tests, which moves <script src=""> elements between Documents before #prepare-a-script. If the parser document check is done in #prepare-a-script, the <script>'s error event is not fired, and thus we can more-completely test whether the parser document check is done. This PR also does some minor refactoring / documentation clean-up, as well as adds a TODO to remove some of the tests once whatwg/html#2137 is closed and whatwg/html#5575 lands. Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
…e in #prepare-a-script, a=testonly Automatic update from web-platform-tests Test whether parse document check is done in #prepare-a-script (#23162) This PR adds empty-src tests, which moves <script src=""> elements between Documents before #prepare-a-script. If the parser document check is done in #prepare-a-script, the <script>'s error event is not fired, and thus we can more-completely test whether the parser document check is done. This PR also does some minor refactoring / documentation clean-up, as well as adds a TODO to remove some of the tests once whatwg/html#2137 is closed and whatwg/html#5575 lands. Co-authored-by: Dominic Farolino <domfarolino@gmail.com> -- wpt-commits: eccee3ede4f1debb1ad5bd34e6122bcb2cadce48 wpt-pr: 23162
…e in #prepare-a-script, a=testonly Automatic update from web-platform-tests Test whether parse document check is done in #prepare-a-script (#23162) This PR adds empty-src tests, which moves <script src=""> elements between Documents before #prepare-a-script. If the parser document check is done in #prepare-a-script, the <script>'s error event is not fired, and thus we can more-completely test whether the parser document check is done. This PR also does some minor refactoring / documentation clean-up, as well as adds a TODO to remove some of the tests once whatwg/html#2137 is closed and whatwg/html#5575 lands. Co-authored-by: Dominic Farolino <domfarolino@gmail.com> -- wpt-commits: eccee3ede4f1debb1ad5bd34e6122bcb2cadce48 wpt-pr: 23162
The #prepare-a-script algorithm [1] includes a check asserting that a script element's parser document == its node document, for parser-inserted scripts. Spec discussion has been happening around this at [2], and WPTs have been added for this in [3] and [4] as part of an overall effort to test and better-specify the behavior of script elements that move between documents. Before this CL, Chromium had no concept of a parser document, and therefore would execute scripts that were moved to another document before ScriptLoader::PrepareScript was invoked. This CL introduces a |parser_document_| to ScriptLoader, which is populated from CreateElementFlags::ParserDocument(), similar to the |parser_inserted_| flag. [1]: https://html.spec.whatwg.org/C/#prepare-a-script [2]: whatwg/html#2137 [2]: web-platform-tests/wpt#19632 [3]: web-platform-tests/wpt#23162 Bug: 721914, 1086507 Change-Id: I7a0980afb47be93f8ed9948658b2cc8e4fa04669 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2214301 Commit-Queue: Dominic Farolino <dom@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Cr-Commit-Position: refs/heads/master@{#777203}
|
Given the fact that Firefox already ships this, and the UseCounter for scripts that were moved between preparation and execution was very low in Chromium, I've gone ahead and shipped this in Chrome. I think we can close this issue now? |
|
Excellent. I'll merge #5575 then. |
This remove notes pointing to whatwg#2137, and thus closes whatwg#2137. We'll proceed with preventing scripts from executing if they've moved between documents, as this is now shipping in two engines.
The #prepare-a-script algorithm [1] includes a check asserting that a script element's parser document == its node document, for parser-inserted scripts. Spec discussion has been happening around this at [2], and WPTs have been added for this in [3] and [4] as part of an overall effort to test and better-specify the behavior of script elements that move between documents. Before this CL, Chromium had no concept of a parser document, and therefore would execute scripts that were moved to another document before ScriptLoader::PrepareScript was invoked. This CL introduces a |parser_document_| to ScriptLoader, which is populated from CreateElementFlags::ParserDocument(), similar to the |parser_inserted_| flag. [1]: https://html.spec.whatwg.org/C/#prepare-a-script [2]: whatwg/html#2137 [2]: web-platform-tests/wpt#19632 [3]: web-platform-tests/wpt#23162 Bug: 721914, 1086507 Change-Id: I7a0980afb47be93f8ed9948658b2cc8e4fa04669 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2214301 Commit-Queue: Dominic Farolino <dom@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#777203} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: f104795245d1a32fde965862578baeb6e75961be
The spec says no:
But Edge, Chrome and Safari all allow it. Reduced test (see the console) - source.
I really like how this silly hack allows you to inject content in a streaming manner in a way that's very close to how a regular page-load behaves, including executing scripts, but some kind of streaming document fragment would be a better way to deliver that.
The text was updated successfully, but these errors were encountered: