On Mon, Jan 13, 2025 at 5:31 PM 'Liang Zhao (REDMOND)' via blink-dev < blink-dev@chromium.org> wrote:
> *Contact emails* > > lz...@microsoft.com > > > *Explainer* > > None > > > *Specification* > > https://fetch.spec.whatwg.org/#concept-main-fetch > > > *Summary* > > When blocked by CSP, Chromium currently throws SecurityError from > constructor. Spec requires CSP to be checked as part of fetch and fires > error event asynchronously. This aims to make Chromium spec conformant, > which is not throwing during constructor and fires error event > asynchronously. > Does Chromium throw the exception _and_ send the event? > *Blink component* > > Blink>SecurityFeature>ContentSecurityPolicy > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EContentSecurityPolicy%22> > > > *TAG review* > > None > > > *TAG review status* > > Not applicable > > > *Risks* > > > > > *Interoperability and Compatibility* > > Currently Firefox works as spec-ed while Safari works the same as Chrome. > With the wrong test code in WPT tests, Firefox is failing the tests: > https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > After updating Chrome code and WPT tests, Firefox passes the tests while > Safari fails the tests. > > > > *Gecko*: Shipped/Shipping > > *WebKit*: No signal > > *Web developers*: No signals > > *Other signals*: This changes the behavior the same as Firefox. > > > *WebView application risks* > > *Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications?* > > > > > *Debuggability* > > When worker is blocked by CSP, there is DevTools message logged about the > blocking by CSP. This behavior is not changed. > > > > > *Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?* > > Yes > > > *Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* > > Yes > > > https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > Note that the test code currently has the wrong expectation and will be > updated as part of this feature work. > > > > > *Flag name on about://flags* > > None > > > *Finch feature name* > > None > > > *Non-finch justification* > > This is a simple change of behavior for uncommon scenario where worker is > blocked by CSP, and the changed behavior is the same as Firefox and spec > aligned. It is unlikely that a site depends on the current behavior of > throwing exception for blocked worker. > I believe this needs a flag. While unlikely that anyone is depending on this it is not possible to be sure. In addition, I strongly advise a use counter, if possible, to see how often this code path gets hit, to verify "unlikely". That does not remove the need for a flag because not all installs report UMA data. > > > > *Requires code in //chrome?* > > False > > > *Tracking bug* > > https://issues.chromium.org/issues/41285169 > > > *Estimated milestones* > > Shipping on desktop > > 134 > > DevTrial on desktop > > 134 > > Shipping on Android > > 134 > > DevTrial on Android > > 134 > > Shipping on WebView > > 134 > > > > > *Anticipated spec changes* > > *Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way).* > > None > > > *Link to entry on the Chrome Platform Status* > > https://chromestatus.com/feature/5177205656911872?gate=5108732671033344 > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGsbWzTSMs0gReFaEcrFfbSHkCHYd_5QczK0P7DZ00%2B6-F4x3Q%40mail.gmail.com.
