New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce strict MIME type checks for worker-imported scripts. #4001
Conversation
This addresses a portion of the proposal in #3255. Tentative tests have landed in [1]. [1]: https://github.com/web-platform-tests/wpt/blob/master/workers/importscripts_mime.tentative.any.js
Chrome is aiming to ship this behavior in Chrome 71 (https://chromium-review.googlesource.com/c/chromium/src/+/1206270). Intent to Remove thread with discussion and data at https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ. |
Intent to Remove: https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ PR against HTML: whatwg/html#4001 Bug: 794548 Change-Id: I6a310aeeba12bc427062169c6397621725eb9bbd Reviewed-on: https://chromium-review.googlesource.com/1206270 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#588854}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spec text LGTM.
Given that this has multi-implementer interest per #3255, when do you think is a good time to land this and convert the tests to non-tentative? Perhaps wait until it hits Chrome stable and hasn't been reverted? Or do it now?
<li><p><var>response</var>'s <span data-x="concept-response-status">status</span> is not an | ||
<span>ok status</span></p></li> | ||
|
||
<li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: <p>
should be on same line as <li>
, with indentation the same as the previous two bullets.
To clarify OP, this would only affect |
Correct. That's the subset we have solid numbers for, and that looks like we can tighten without visible impact on users. |
Waiting until it hits Chrome stable and sticks seems reasonable. I just wanted to make sure we had a PR up clarifying the behavior Chrome aims to ship. |
OK, cool. I will set a calendar reminder for December 4 and we can check back in then. |
My calendar reminder fired! @mikewest, any problems to report? If not, let's merge this, rename any relevant web platform tests from .tentative to not, and file bugs on all the other browsers. |
Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1514680 I'll rename the tests in a separate patch. |
…ts()', a=testonly Automatic update from web-platform-tests Ship strict MIME checks for 'importScripts()' (#14557) Supporting whatwg/html#4001. -- wpt-commits: cac03f7400d61442996918e051671b2267ef2409 wpt-pr: 14557 --HG-- rename : testing/web-platform/tests/workers/importscripts_mime.tentative.any.js => testing/web-platform/tests/workers/importscripts_mime.any.js
…ts()', a=testonly Automatic update from web-platform-tests Ship strict MIME checks for 'importScripts()' (#14557) Supporting whatwg/html#4001. -- wpt-commits: cac03f7400d61442996918e051671b2267ef2409 wpt-pr: 14557
…ts()', a=testonly Automatic update from web-platform-tests Ship strict MIME checks for 'importScripts()' (#14557) Supporting whatwg/html#4001. -- wpt-commits: cac03f7400d61442996918e051671b2267ef2409 wpt-pr: 14557 UltraBlame original commit: d9ab60a2ad83c0c45666f6f988f92efe6297d0c8
…ts()', a=testonly Automatic update from web-platform-tests Ship strict MIME checks for 'importScripts()' (#14557) Supporting whatwg/html#4001. -- wpt-commits: cac03f7400d61442996918e051671b2267ef2409 wpt-pr: 14557 UltraBlame original commit: d9ab60a2ad83c0c45666f6f988f92efe6297d0c8
…ts()', a=testonly Automatic update from web-platform-tests Ship strict MIME checks for 'importScripts()' (#14557) Supporting whatwg/html#4001. -- wpt-commits: cac03f7400d61442996918e051671b2267ef2409 wpt-pr: 14557 UltraBlame original commit: d9ab60a2ad83c0c45666f6f988f92efe6297d0c8
https://chromium-review.googlesource.com/c/chromium/src/+/1917528 says Chrome's exclusion of |
I opened #8869 and I'll look into writing new tests based on https://github.com/web-platform-tests/wpt/blob/master/workers/importscripts_mime.any.js |
…pts, r=smaug This patch introduces a new pref: dom.workers.importScripts.enforceStrictMimeType which is enabled by default on Nightly see: whatwg/html#8869, whatwg/html#4001 Differential Revision: https://phabricator.services.mozilla.com/D173149
This addresses a portion of the proposal in #3255. Tentative tests have
landed in 1.
/webappapis.html ( diff )