info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to ship: Blocking Worker/SharedWorker with non-JS MIME type
178 views
Skip to first unread message
Tom Schuster
Jul 22, 2019, 6:23:56 AM7/22/19
to dev-platform
In Firefox 70 we plan to start blocking Worker and SharedWorker
scripts served with non-JavaScript MIME types. We have similarly been
blocking importScripts() since version 67.
Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1523706
Pref: security.block_Worker_with_wrong_mime
This was also discussed at https://github.com/whatwg/html/issues/3255.
It seems like Chrome does NOT plan on shipping this at the moment.
However we are optimistic that we can ship this, because in our data
there are more importScripts with a wrong MIME type than worker
scripts. We didn't dig too deeply into this data, but one idea was
that a lot of worker scripts are actually 404 text/html error pages.
Telemetry: https://mzl.la/2y805sN (Compare worker_load with importScript_load)
Tom
scripts served with non-JavaScript MIME types. We have similarly been
blocking importScripts() since version 67.
Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1523706
Pref: security.block_Worker_with_wrong_mime
This was also discussed at https://github.com/whatwg/html/issues/3255.
It seems like Chrome does NOT plan on shipping this at the moment.
However we are optimistic that we can ship this, because in our data
there are more importScripts with a wrong MIME type than worker
scripts. We didn't dig too deeply into this data, but one idea was
that a lot of worker scripts are actually 404 text/html error pages.
Telemetry: https://mzl.la/2y805sN (Compare worker_load with importScript_load)
Tom
Boris Zbarsky
Jul 22, 2019, 9:01:04 AM7/22/19
to
On 7/22/19 6:22 AM, Tom Schuster wrote:
> This was also discussed at https://github.com/whatwg/html/issues/3255.
> It seems like Chrome does NOT plan on shipping this at the moment.
Does "at the moment" mean they are open to shipping it in the future if
> This was also discussed at https://github.com/whatwg/html/issues/3255.
> It seems like Chrome does NOT plan on shipping this at the moment.
we ship it and don't run into web compat issues, or that they are not
planning to ship at all? What are Safari's plans here? What is the
proposed path to interop?
> We didn't dig too deeply into this data, but one idea was
> that a lot of worker scripts are actually 404 text/html error pages.
worker script types for responses that would actually get processed
(i.e. not HTTP 4xx responses). Is there a reason not to do that before
shipping this change?
-Boris
Tom Schuster
Jul 25, 2019, 6:23:28 AM7/25/19
to Boris Zbarsky, dev-platform
On Wed, Jul 24, 2019 at 3:21 AM Boris Zbarsky <bzba...@mit.edu> wrote:>
> On 7/22/19 6:22 AM, Tom Schuster wrote:
> > This was also discussed at https://github.com/whatwg/html/issues/3255.
> > It seems like Chrome does NOT plan on shipping this at the moment.
>
> Does "at the moment" mean they are open to shipping it in the future if
> we ship it and don't run into web compat issues, or that they are not
> planning to ship at all? What are Safari's plans here? What is the
> proposed path to interop?
>
After asking the Chrome team for clarification
> On 7/22/19 6:22 AM, Tom Schuster wrote:
> > This was also discussed at https://github.com/whatwg/html/issues/3255.
> > It seems like Chrome does NOT plan on shipping this at the moment.
>
> Does "at the moment" mean they are open to shipping it in the future if
> we ship it and don't run into web compat issues, or that they are not
> planning to ship at all? What are Safari's plans here? What is the
> proposed path to interop?
>
(https://github.com/whatwg/html/issues/3255), they are interested in
shipping this, but need more time and information.
So I propose restricting this change to Beta/Nightly and to wait for
them or until we see too much fallout.
> > We didn't dig too deeply into this data, but one idea was
> > that a lot of worker scripts are actually 404 text/html error pages.
>
> This is something telemetry could easily measure, yes? Only record
> worker script types for responses that would actually get processed
> (i.e. not HTTP 4xx responses). Is there a reason not to do that before
> shipping this change?
>
importScripts was successful, even though it had higher usage. If we
are going to delay shipping this,
we might as well look into adding those counters.
Tom
Boris Zbarsky
Jul 25, 2019, 3:23:42 PM7/25/19
to
On 7/25/19 6:22 AM, Tom Schuster wrote:
> After asking the Chrome team for clarification
> (https://github.com/whatwg/html/issues/3255), they are interested in
> shipping this, but need more time and information.
> So I propose restricting this change to Beta/Nightly and to wait for
> them or until we see too much fallout.
Makes sense.
> After asking the Chrome team for clarification
> (https://github.com/whatwg/html/issues/3255), they are interested in
> shipping this, but need more time and information.
> So I propose restricting this change to Beta/Nightly and to wait for
> them or until we see too much fallout.
> importScripts was successful, even though it had higher usage. If we
> are going to delay shipping this,
> we might as well look into adding those counters.
-Boris
David Burns
Jul 26, 2019, 1:53:22 AM7/26/19
to Boris Zbarsky, Tom Schuster, dev-platform
On Jul 25, 2019, 12:23 PM +0200, Tom Schuster <t...@schuster.me>, wrote:
> On Wed, Jul 24, 2019 at 3:21 AM Boris Zbarsky <bzba...@mit.edu> wrote:>
> On Wed, Jul 24, 2019 at 3:21 AM Boris Zbarsky <bzba...@mit.edu> wrote:>
> > On 7/22/19 6:22 AM, Tom Schuster wrote:
> > > This was also discussed at https://github.com/whatwg/html/issues/3255.
> > > It seems like Chrome does NOT plan on shipping this at the moment.
> >
> > Does "at the moment" mean they are open to shipping it in the future if
> > we ship it and don't run into web compat issues, or that they are not
> > planning to ship at all? What are Safari's plans here? What is the
> > proposed path to interop?
> >
>
> > > This was also discussed at https://github.com/whatwg/html/issues/3255.
> > > It seems like Chrome does NOT plan on shipping this at the moment.
> >
> > Does "at the moment" mean they are open to shipping it in the future if
> > we ship it and don't run into web compat issues, or that they are not
> > planning to ship at all? What are Safari's plans here? What is the
> > proposed path to interop?
> >
>
> After asking the Chrome team for clarification
> (https://github.com/whatwg/html/issues/3255), they are interested in
> shipping this, but need more time and information.
> So I propose restricting this change to Beta/Nightly and to wait for
> them or until we see too much fallout.
Are there wpt that we can write to make sure We eventually do have the interop we want here?
> (https://github.com/whatwg/html/issues/3255), they are interested in
> shipping this, but need more time and information.
> So I propose restricting this change to Beta/Nightly and to wait for
> them or until we see too much fallout.
David
0 new messages