New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should strict MIME type for importScripts() also be enforced on local URLs? #8869
Labels
Comments
annevk
added
topic: workers
interop
Implementations are not interoperable with each other
labels
Feb 9, 2023
Kaiido
added a commit
to Kaiido/wpt
that referenced
this issue
Feb 9, 2023
See whatwg/html#8869 This currently expects the specced behavior, i.e local URLs should also enforce strict MIME types. This fails in both Firefox and Chrome and passes in Safari. Note that in its initial form it doesn't use .any. because I couldn't find a way to exclude only ServiceWorkers (which don't have access to createObjectURL). It also doesn't test for `filesystem:` protocol because I'm not quite sure what's the status of this, and to write a test for it.
We don't have any telemetry in Firefox for |
annevk
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Feb 10, 2023
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Feb 20, 2023
…portScripts, a=testonly Automatic update from web-platform-tests Workers: ensure scripty type for local URLs in importScripts See whatwg/html#8869. -- wpt-commits: 774793190ed1e0b75bfbddb80c71ad614ad206b2 wpt-pr: 38430
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
Feb 23, 2023
…portScripts, a=testonly Automatic update from web-platform-tests Workers: ensure scripty type for local URLs in importScripts See whatwg/html#8869. -- wpt-commits: 774793190ed1e0b75bfbddb80c71ad614ad206b2 wpt-pr: 38430
marcoscaceres
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Mar 28, 2023
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Mar 28, 2023
…pts, r=smaug This patch introduces a new pref: dom.workers.importScripts.enforceStrictMimeType which is enabled by default on Nightly see: whatwg/html#8869, whatwg/html#4001 Differential Revision: https://phabricator.services.mozilla.com/D173149
Probably not a deal breaker, but this caused a regression in emscripten: emscripten-core/emscripten#19080 (https://bugzilla.mozilla.org/show_bug.cgi?id=1824839) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#4001 set up a strict MIME type enforcement for
importScripts()
. However while all UAs seem to have agreed about external URLs, and tests are written for these, there is a compat issue regarding local URLs (data:
andblob:
).Both Chrome and Firefox seem to not look at the MIME type of such URLs, while Safari and if I read correctly, the specs, do throw on these too. Quick test cases:
data:
URL, andblob:
URL.I'm not sure what would be the best here. These being local might warrant a special case (e.g I wouldn't be surprised to see a
blob:
URL pointing to a dynamically created script on which thetype
wasn't set).Originally posted in #4001 (comment)
The text was updated successfully, but these errors were encountered: