Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce strict MIME type checks for worker-imported scripts. #4001

Merged
merged 1 commit into from Dec 18, 2018
Merged

Enforce strict MIME type checks for worker-imported scripts. #4001

merged 1 commit into from Dec 18, 2018

Conversation

mikewest
Copy link
Member

@mikewest mikewest commented Sep 5, 2018
edited by pr-preview bot

This addresses a portion of the proposal in #3255. Tentative tests have
landed in 1.

/webappapis.html ( diff )

@mikewest
Copy link
Member Author

mikewest commented Sep 5, 2018

Chrome is aiming to ship this behavior in Chrome 71 (https://chromium-review.googlesource.com/c/chromium/src/+/1206270). Intent to Remove thread with discussion and data at https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ.

aarongable pushed a commit to chromium/chromium that referenced this pull request Sep 5, 2018
@mikewest
Ship strict MIME-type checks for importScripts().
bd88535 
Intent to Remove: https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ
PR against HTML: whatwg/html#4001

Bug: 794548
Change-Id: I6a310aeeba12bc427062169c6397621725eb9bbd
Reviewed-on: https://chromium-review.googlesource.com/1206270
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#588854}
domenic
domenic approved these changes Sep 5, 2018
View reviewed changes
Copy link
Member

@domenic domenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spec text LGTM.

Given that this has multi-implementer interest per #3255, when do you think is a good time to land this and convert the tests to non-tentative? Perhaps wait until it hits Chrome stable and hasn't been reverted? Or do it now?

source
<li><p><var>response</var>'s <span data-x="concept-response-status">status</span> is not an
<span>ok status</span></p></li>

<li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: <p> should be on same line as <li>, with indentation the same as the previous two bullets.

@annevk
Copy link
Member

annevk commented Sep 6, 2018

To clarify OP, this would only affect importScripts()?

@mikewest
Copy link
Member Author

mikewest commented Sep 6, 2018

To clarify OP, this would only affect importScripts()?

Correct. That's the subset we have solid numbers for, and that looks like we can tighten without visible impact on users. new Worker() and <script> still look a bit out of reach (though I'm hopeful about the former).

@mikewest
Copy link
Member Author

mikewest commented Sep 6, 2018

Given that this has multi-implementer interest per #3255, when do you think is a good time to land this and convert the tests to non-tentative? Perhaps wait until it hits Chrome stable and hasn't been reverted? Or do it now?

Waiting until it hits Chrome stable and sticks seems reasonable. I just wanted to make sure we had a PR up clarifying the behavior Chrome aims to ship.

@domenic
Copy link
Member

domenic commented Sep 6, 2018

OK, cool. I will set a calendar reminder for December 4 and we can check back in then.

@domenic
Copy link
Member

domenic commented Dec 16, 2018

My calendar reminder fired! @mikewest, any problems to report? If not, let's merge this, rename any relevant web platform tests from .tentative to not, and file bugs on all the other browsers.

@mikewest
Copy link
Member Author

Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1514680
WebKit: https://bugs.webkit.org/show_bug.cgi?id=192749

I'll rename the tests in a separate patch.

mikewest added a commit to web-platform-tests/wpt that referenced this pull request Dec 17, 2018
@mikewest
Ship strict MIME checks for 'importScripts()'
b9ad458 
Supporting whatwg/html#4001.
@mikewest mikewest mentioned this pull request Dec 17, 2018
Merged
mikewest added a commit to web-platform-tests/wpt that referenced this pull request Dec 17, 2018
@mikewest
Ship strict MIME checks for 'importScripts()' (#14557)
cac03f7 
Supporting whatwg/html#4001.
@domenic domenic merged commit d1c3679 into master Dec 18, 2018
@domenic domenic deleted the importScripts-mime branch December 18, 2018 22:19
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Jan 23, 2019
@mikewest @jgraham
Bug 1514685 [wpt PR 14557] - Ship strict MIME checks for 'importScrip…
8aca9ab 
…ts()', a=testonly

Automatic update from web-platform-tests
Ship strict MIME checks for 'importScripts()' (#14557)

Supporting whatwg/html#4001.
--

wpt-commits: cac03f7400d61442996918e051671b2267ef2409
wpt-pr: 14557


--HG--
rename : testing/web-platform/tests/workers/importscripts_mime.tentative.any.js => testing/web-platform/tests/workers/importscripts_mime.any.js
mykmelez pushed a commit to mykmelez/gecko that referenced this pull request Jan 23, 2019
@mikewest @jgraham
Bug 1514685 [wpt PR 14557] - Ship strict MIME checks for 'importScrip…
f49a6f9 
…ts()', a=testonly

Automatic update from web-platform-tests
Ship strict MIME checks for 'importScripts()' (#14557)

Supporting whatwg/html#4001.
--

wpt-commits: cac03f7400d61442996918e051671b2267ef2409
wpt-pr: 14557
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this pull request Oct 3, 2019
@marco-c
Bug 1514685 [wpt PR 14557] - Ship strict MIME checks for 'importScrip…
b3db480 
…ts()', a=testonly

Automatic update from web-platform-tests
Ship strict MIME checks for 'importScripts()' (#14557)

Supporting whatwg/html#4001.
--

wpt-commits: cac03f7400d61442996918e051671b2267ef2409
wpt-pr: 14557

UltraBlame original commit: d9ab60a2ad83c0c45666f6f988f92efe6297d0c8
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this pull request Oct 3, 2019
@marco-c
Bug 1514685 [wpt PR 14557] - Ship strict MIME checks for 'importScrip…
e4caeb2 
…ts()', a=testonly

Automatic update from web-platform-tests
Ship strict MIME checks for 'importScripts()' (#14557)

Supporting whatwg/html#4001.
--

wpt-commits: cac03f7400d61442996918e051671b2267ef2409
wpt-pr: 14557

UltraBlame original commit: d9ab60a2ad83c0c45666f6f988f92efe6297d0c8
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this pull request Oct 3, 2019
@marco-c
Bug 1514685 [wpt PR 14557] - Ship strict MIME checks for 'importScrip…
a80e18a 
…ts()', a=testonly

Automatic update from web-platform-tests
Ship strict MIME checks for 'importScripts()' (#14557)

Supporting whatwg/html#4001.
--

wpt-commits: cac03f7400d61442996918e051671b2267ef2409
wpt-pr: 14557

UltraBlame original commit: d9ab60a2ad83c0c45666f6f988f92efe6297d0c8
@Kaiido
Copy link
Member

Kaiido commented Feb 9, 2023

Were local URLs supposed to be ignored here?
It seems both Chrome and Firefox do, while Safari and if I read correctly, the specs, don't: data: URL, and blob: URL.

(Wondering what kind of issue should be opened, and where).

@annevk
Copy link
Member

annevk commented Feb 9, 2023

@Kaiido opening an issue against whatwg/html would be a good start. And if you want you could add test coverage to WPT for the specified behavior. And maybe @mikewest and @evilpie can chime in why their implementations don't match the specification.

@Kaiido Kaiido mentioned this pull request Feb 9, 2023
Open
@mikewest
Copy link
Member Author

mikewest commented Feb 9, 2023

https://chromium-review.googlesource.com/c/chromium/src/+/1917528 says Chrome's exclusion of blob:, filesystem:, and data: was intentional to match Firefox. I don't imagine this is too common, but we'd need to gather some metrics to determine whether we can change the behavior safely.

@Kaiido
Copy link
Member

Kaiido commented Feb 9, 2023

I opened #8869 and I'll look into writing new tests based on https://github.com/web-platform-tests/wpt/blob/master/workers/importscripts_mime.any.js

moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Mar 28, 2023
Bug 1819626: Enforce strict MIME type checks for worker-imported scri…
7d615f3 
…pts, r=smaug

This patch introduces a new pref:
dom.workers.importScripts.enforceStrictMimeType

which is enabled by default on Nightly

see: whatwg/html#8869,
whatwg/html#4001

Differential Revision: https://phabricator.services.mozilla.com/D173149
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domenic domenic domenic approved these changes

Assignees
No one assigned
Labels
normative change topic: script topic: workers
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mikewest @annevk @domenic @Kaiido