Use appropriate fetch destination for JSON&CSS modules #9486
Conversation
|
@annevk knows more about Fetch than me, but here's my initial stab at some answers: I think a destination of "" for JSON is reasonable. If we were to invent a JSON destination, I wonder if it would conflict with any existing practice, or whether it'd make a lot of sense given that most JSON fetches are via If we were to invent a JSON destination, with regard to the Accept header, https://httpwg.org/specs/rfc7231.html#header.accept says
which is a bit unclear to me. Are only the forms I don't think mode should change. Mode and destination are orthogonal, as far as I know? I don't think the "Should response to request be blocked due to nosniff?" algorithm is affected. We perform our own custom MIME type checking in HTML, separate from the nosniff infrastructure. Now that we're setting the destination, that checking will sometimes be redundant, but sometimes it won't be. (In particular, our checking always happens, whereas the Fetch spec's checking only happens if |
|
The question should not be "will servers recognize that Reading the linked RFC, only going through the formal syntax definitions and ignoring the prose, I believe that (Note: I would love to use |
|
Have you checked out https://datatracker.ietf.org/doc/html/rfc6838#section-4.2 ? It says subtypes must start with Servers may be parsing with that in consideration. |
nicolo-ribaudo
force-pushed
the
css-json-modules-fetch-destination
branch
from
38059ed
to
d27d13a
Compare
|
I added a commit to use
I do not have strong opinions regarding what exactly this Accept header should be and what the
|
|
On the Since
https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.2 It would be nice to prefer a more specific type of JSON, but I'm not sure how feasible that is, since that brings back the If When specificity is equal ( So maybe Edit: IIRC, the starting number we base it on ( |
|
Thank you for the detailed analysis! I made the priorities 1-0.9-0.5, since all the other examples I could find in the fetch spec start from 1.
Given that all the |
source
Outdated
| <p class="note"><span data-x="concept-fetch">Fetch</span> sets the (`<code | ||
| data-x="http-accept">Accept</code>`, `<code data-x="">text/css,*/*;q=0.1</code>`) header for CSS | ||
| modules.</p> | ||
| </li> |
There was a problem hiding this comment.
I think it would be cleaner to add a "json" destination and keep Fetch responsible for the Accept header. CSP treats "json" the same as the empty string I think.
There was a problem hiding this comment.
Done :) whatwg/fetch#1691
|
While doing the changes in the fetch spec, I noticed that this would also allow |
annevk
added
the
needs tests
|
As with whatwg/fetch#1691 I think we can count Chromium and WebKit as supportive based on statements in #7233, but I'll tag some people here just in case. |
|
@nicolo-ribaudo any progress on tests and implementation bugs? |
|
I'll write them next week |
nicolo-ribaudo
force-pushed
the
css-json-modules-fetch-destination
branch
from
f13739c
to
269df0c
Compare
annevk
added
topic: script
and removed
needs tests
This is needed for whatwg/html#9486. Tests: web-platform-tests/wpt#41665.
|
Thank you @nicolo-ribaudo for resolving this longstanding issue with non-JavaScript modules! |
The "Import Attributes" ECMAScript proposal has been updated to allow attributes to affect how modules are fetched, so that HTML can use them to set the proper destination when fetching CSS and JSON modules [1]. This has two major effects: - the `Accept` HTTP header is now specific to the module type, rather than simply being `*/*` - we use the relevant CSP policy rather than always script-src. This patch only implements this change for CSS modules. The change for JSON modules will come in a later patch, as it's more complex because it requires introducing a new fetch destination [2]. It passes the relevant wpt tests [3] when using --js-flags="--harmony_import_attributes. [1]: whatwg/html#9486 [2]: whatwg/fetch#1691 [3]: web-platform-tests/wpt#41665 Bug: 1491336 Change-Id: I4abf09dd828e5ded2b685be6da231c3fca90e19f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4949956 Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Stephen Chenney <schenney@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Commit-Queue: Nicolò Ribaudo <nribaudo@igalia.com> Cr-Commit-Position: refs/heads/main@{#1249592}
This patch adds a new `json` fetch destination [fetch-spec-pr], that has
the following characteristics:
- it implies the `Accept: application/json,*/*;q=0.5` HTTP header;
- it uses the `connect-src` CSP directive [csp-spec-pr].
This new destination is used when fetching JSON module scripts, using
`import ... from "/data" with { type: "json" }` [html-spec-pr].
https://crrev.com/c/4949956 implements a similar change for CSS module
scripts, but their implementation is simpler because the `style`
destination already exists.
This patch passes all the relevant WPT tests [wpt-pr] (when using
--js-flags="--harmony_import_attributes), although I had to run them
manually because they have not been merged yet.
This patch does not add support for `<link rel="preload" as="json">`,
which is also introduced by the linked fetch and HTML spec changes.
[fetch-spec-pr]: whatwg/fetch#1691
[csp-spec-pr]: w3c/webappsec-csp#611
[html-spec-pr]: whatwg/html#9486
[wpt-pr]: web-platform-tests/wpt#41665
Bug: 1491336
Change-Id: I6661ddc9be04935e2ee760eb78d1060ae0192a55
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4955077
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: David Bertoni <dbertoni@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Xinghui Lu <xinghuilu@chromium.org>
Commit-Queue: Nicolò Ribaudo <nribaudo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#1249822}
Fixes #7233
Acceptheader for JSON modules with network imports denoland/deno#20866Acceptheader for JSON modules with network imports nodejs/node#50116(note: changes to the
Acceptheader affect both Node.js and Deno)I'm working on #7233, to bring the last import-attributes-related pieces to the finishing line.
The behavior for CSS modules is easy to define, as it should match how CSS files are loaded in other places: the fetch destination should be
"style", which implies that:Accept: text/css,*/*;q=0.1header (step 13 of https://fetch.spec.whatwg.org/#concept-fetch);styles-srcCSP instead ofscript-src.On the other hand, I believe there is currently no precedent for loading "generic" (i.e. not something like manifest.json) JSON files, and as such it's less clear what the behavior should be. This PR sets the destination to""and hard-codes theAccept: application/json,*/*;q=0.5header (*), and as a consequence:whatwg/fetch#1691 introduces
"json"destination in fetch, so that:Accept: application/json,*/*;q=0.5header (the*/*has aqvalue higher than for CSS modules because there are actually many valid JSON mime types, but we cannot cover them with a glob pattern because it's not possible to indicate "it must end with+json")connect-srcCSP policy instead ofscript-src(Add"json"destination for"connect-src"w3c/webappsec-csp#611), similar to JSON loaded usingfetch.(*) the list of valid JSON mime types is potentially unbounded, since it includes any mime type that ends in+json(ref: JSON mime types). ThisAccept:is currently hard-coded in HTML, but maybe it should be moved to Fetch by defining a new"json"fetch destination.Additionally, I need some clarification on the(Answer: no - #9486 (comment))modeof requests for modules coming from workers&friends (related: #3656). The current logic sets the request's mode to same-origin if the destination is worker/sharedworker/serviceworker. This PR changes the destination for CSS/JSON modules, and I'm not sure if it should also affect the request mode or not.TODO (other specs):
Does this change have implications for https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff??(Answer: no - Use appropriate fetch destination for JSON&CSS modules #9486 (comment))/links.html ( diff )
/webappapis.html ( diff )