Contact emails
fal...@chromium.org, yhi...@chromium.org
Explainer
None: this is a minor change to an existing feature.
Design doc/Spec
The relevant specs are CSSOM, Fetch, and HTML. Specifically, see Fetch #146, #737, and #834.
The TAG review is being skipped because this is a minor change that doesn’t require review.
Summary
This changes the behavior of stylesheets in certain cases. There are three changes included in this intent:
Change #1:
Use the response URL rather than the last request URL as the base URL of the stylesheet. This aligns with the standard. See https://github.com/whatwg/fetch/pull/146. WPT results indicate Firefox, Edge, and Safari use the response URL. This only matters if the response came from a service worker, as the URLs only differ when the service worker intercepts the request and responds with a different URL via respondWith(fetch(other_url)).
This is covered by the WPT:
service-workers/service-worker/fetch-request-css-base-url.https.html
Motivation
The primary motivation is to use the response URL as the base URL (Change #1 above) in order to match other implementations and align with the specification. In doing so, I found it convenient to make the other two changes to preserve SOP in our implementation. See the CL at https://chromium-review.googlesource.com/c/chromium/src/+/1367331.
Risks
Interoperability and Compatibility
Change #1 has some compatibility risk because it affects how the base URL is determined, which affects the behavior of stylesheets that request subresources using relative paths. However it has minimal interoperability risk because it aligns with the behavior of other browsers.
Change #2 and #3 have some compatibility and interoperability risk. But I consider the risk low since they are edge cases: A->B->A redirects seem low risk because Chrome already changed that behavior for other resources, and it’s unlikely the change on load failure will meaningfully affect sites.
Edge: Shipped for Change #1, No Signals for #2 and #3
Firefox: Shipped for Change #1, Support for #2, No Signals for #3
Safari: Shipped for Change #1, Support for #2, No Signals for #3
Web / Framework developers: No signals
Ergonomics
Are there any other platform APIs this feature will frequently be used in tandem with?
Could the default usage of this API make it hard for Chrome to maintain good performance (i.e. synchronous return, must run on a certain thread, guaranteed return timing)?
No.
Activation
Will it be challenging for developers to take advantage of this feature immediately, as-is?
Would this feature benefit from having polyfills, significant documentation and outreach, and/or libraries built on top of it to make it easier to use?
No.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Is this feature fully tested by web-platform-tests?
Yes, service-workers/service-worker/fetch-request-css-base-url.https.html and css/cssom/stylesheet-same-origin.sub.html
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5642183499579392 (needs to be updated to include Change #2 and #3)
Requesting approval to ship?
Yes.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJ_xCinaiRE4vCOzuX1tiYfbPqKx5H%3DBn_BUd_BsdkJzYySuwQ%40mail.gmail.com.
#2, about treating A -> B -> A as cross domain, sounds like a risky change. Do you have any indication about how common it is? I could imagine it being triggered by url shortening services and others. I do see the point, where a different site could otherwise replace bank.url/main.css with with bank.url/demo-malicious.css and cause all kind of problems. But how web compatible is it?
#1, seems good to me. So respondWith() different than a redirect?
#3, not sure I understand this one. Why is a network error a security error?
Thanks!On Tue, Dec 11, 2018 at 10:36 PM Daniel Bratell <bra...@opera.com> wrote:#2, about treating A -> B -> A as cross domain, sounds like a risky change. Do you have any indication about how common it is? I could imagine it being triggered by url shortening services and others. I do see the point, where a different site could otherwise replace bank.url/main.css with with bank.url/demo-malicious.css and cause all kind of problems. But how web compatible is it?We don't have metrics, but according to Yutaka's post we've already changed image, script, fetch, media to have this behavior in Chrome 71 and it seems like it's gone okay.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJ_xCineKeMKMDPj6Z%3DFtvkif%3D30SX%2B_URR0wbEWoyGdEs_A7A%40mail.gmail.com.
Thanks!On Tue, Dec 11, 2018 at 10:36 PM Daniel Bratell <bra...@opera.com> wrote:#2, about treating A -> B -> A as cross domain, sounds like a risky change. Do you have any indication about how common it is? I could imagine it being triggered by url shortening services and others. I do see the point, where a different site could otherwise replace bank.url/main.css with with bank.url/demo-malicious.css and cause all kind of problems. But how web compatible is it?We don't have metrics, but according to Yutaka's post we've already changed image, script, fetch, media to have this behavior in Chrome 71 and it seems like it's gone okay.#1, seems good to me. So respondWith() different than a redirect?Correct, it doesn't alter the request URL like a redirect but alters the response URL.#3, not sure I understand this one. Why is a network error a security error?I'll see if I can find an answer to this. According to the specs, a network error (response type "error") is neither CORS-same-origin nor CORS-cross-origin, and CSS's "origin clean" flag is set iff CORS-same-origin. I'll ask if that was an intentional decision (cc Anne).
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJ_xCikb-McvJaGixOpBSsA7Y4wpLkT_kwBR3yBqzdB%3D-Z7t2Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-SFQcJVAnOmQW3pgpC-1VtNJihqmkoYrm1oD2mcycYuA%40mail.gmail.com.
Matt, it's only developers writing service workers who might need to be aware of this change, right?
And even then, the vast majority of them (perhaps even all) are unlikely to notice any of these three changes, is that right?
Are you aware of any sites / shipping code which will break as a result of these changes?