Re: Intent to ship: Blocking Worker/SharedWorker with non-JS MIME type
On Jul 25, 2019, 12:23 PM +0200, Tom Schuster , wrote: > On Wed, Jul 24, 2019 at 3:21 AM Boris Zbarsky wrote:> > > On 7/22/19 6:22 AM, Tom Schuster wrote: > > > This was also discussed at https://github.com/whatwg/html/issues/3255. > > > It seems like Chrome does NOT plan on shipping this at the moment. > > > > Does "at the moment" mean they are open to shipping it in the future if > > we ship it and don't run into web compat issues, or that they are not > > planning to ship at all? What are Safari's plans here? What is the > > proposed path to interop? > > > > After asking the Chrome team for clarification > (https://github.com/whatwg/html/issues/3255), they are interested in > shipping this, but need more time and information. > So I propose restricting this change to Beta/Nightly and to wait for > them or until we see too much fallout. Are there wpt that we can write to make sure We eventually do have the interop we want here? David ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Blocking Worker/SharedWorker with non-JS MIME type
On 7/25/19 6:22 AM, Tom Schuster wrote: After asking the Chrome team for clarification (https://github.com/whatwg/html/issues/3255), they are interested in shipping this, but need more time and information. So I propose restricting this change to Beta/Nightly and to wait for them or until we see too much fallout. Makes sense. importScripts was successful, even though it had higher usage. If we are going to delay shipping this, we might as well look into adding those counters. Might make it easier to convince Chrome if we had this data. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Blocking Worker/SharedWorker with non-JS MIME type
On Wed, Jul 24, 2019 at 3:21 AM Boris Zbarsky wrote:> > On 7/22/19 6:22 AM, Tom Schuster wrote: > > This was also discussed at https://github.com/whatwg/html/issues/3255. > > It seems like Chrome does NOT plan on shipping this at the moment. > > Does "at the moment" mean they are open to shipping it in the future if > we ship it and don't run into web compat issues, or that they are not > planning to ship at all? What are Safari's plans here? What is the > proposed path to interop? > After asking the Chrome team for clarification (https://github.com/whatwg/html/issues/3255), they are interested in shipping this, but need more time and information. So I propose restricting this change to Beta/Nightly and to wait for them or until we see too much fallout. > > We didn't dig too deeply into this data, but one idea was > > that a lot of worker scripts are actually 404 text/html error pages. > > This is something telemetry could easily measure, yes? Only record > worker script types for responses that would actually get processed > (i.e. not HTTP 4xx responses). Is there a reason not to do that before > shipping this change? > Yes that would be possible. Till now my reasoning was that blocking importScripts was successful, even though it had higher usage. If we are going to delay shipping this, we might as well look into adding those counters. Tom ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Blocking Worker/SharedWorker with non-JS MIME type
On 7/22/19 6:22 AM, Tom Schuster wrote: This was also discussed at https://github.com/whatwg/html/issues/3255. It seems like Chrome does NOT plan on shipping this at the moment. Does "at the moment" mean they are open to shipping it in the future if we ship it and don't run into web compat issues, or that they are not planning to ship at all? What are Safari's plans here? What is the proposed path to interop? We didn't dig too deeply into this data, but one idea was that a lot of worker scripts are actually 404 text/html error pages. This is something telemetry could easily measure, yes? Only record worker script types for responses that would actually get processed (i.e. not HTTP 4xx responses). Is there a reason not to do that before shipping this change? -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to ship: Blocking Worker/SharedWorker with non-JS MIME type
In Firefox 70 we plan to start blocking Worker and SharedWorker scripts served with non-JavaScript MIME types. We have similarly been blocking importScripts() since version 67. Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1523706 Pref: security.block_Worker_with_wrong_mime This was also discussed at https://github.com/whatwg/html/issues/3255. It seems like Chrome does NOT plan on shipping this at the moment. However we are optimistic that we can ship this, because in our data there are more importScripts with a wrong MIME type than worker scripts. We didn't dig too deeply into this data, but one idea was that a lot of worker scripts are actually 404 text/html error pages. Telemetry: https://mzl.la/2y805sN (Compare worker_load with importScript_load) Tom ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform