On 1/13/25 5:19 PM, 'Liang Zhao (REDMOND)' via blink-dev wrote:
*Contact emails*
lz...@microsoft.com
*Explainer*
None
*Specification*
https://fetch.spec.whatwg.org/#concept-main-fetch
*Summary*
When blocked by CSP, Chromium currently throws SecurityError from
constructor. Spec requires CSP to be checked as part of fetch and
fires error event asynchronously. This aims to make Chromium spec
conformant, which is not throwing during constructor and fires error
event asynchronously.
Which constructor?
*Blink component*
Blink>SecurityFeature>ContentSecurityPolicy
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EContentSecurityPolicy%22>
*TAG review*
None
*TAG review status*
Not applicable
*Risks*
*Interoperability and Compatibility*
Are you able to expand on the compatibility implications for this
change, i.e., do we know if Firefox has any site breakage as a result of
their behavior? What scenarios might surprise developers who are relying
on Chrome's current behavior, etc?
**
Currently Firefox works as spec-ed while Safari works the same as
Chrome. With the wrong test code in WPT tests, Firefox is failing the
tests:
https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned>
https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned>
After updating Chrome code and WPT tests, Firefox passes the tests
while Safari fails the tests.
Can you explain what you mean by wrong test code?
/Gecko/: Shipped/Shipping
/WebKit/: No signal
/Web developers/: No signals
/Other signals/: This changes the behavior the same as Firefox.
*WebView application risks*
/Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?/
*Debuggability*
When worker is blocked by CSP, there is DevTools message logged about
the blocking by CSP. This behavior is not changed.
*Will this feature be supported on all six Blink platforms (Windows,
Mac, Linux, ChromeOS, Android, and Android WebView)?*
Yes
*Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?*
Yes
https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned>
https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned>
Note that the test code currently has the wrong expectation and will
be updated as part of this feature work.
*Flag name on about://flags*
None
*Finch feature name*
None
*Non-finch justification*
This is a simple change of behavior for uncommon scenario where worker
is blocked by CSP, and the changed behavior is the same as Firefox and
spec aligned. It is unlikely that a site depends on the current
behavior of throwing exception for blocked worker.
Can we back up "it is unlikely" with some data? Absent that, I would
strongly suggest we put this behind a flag.
*Requires code in //chrome?*
False
*Tracking bug*
https://issues.chromium.org/issues/41285169
*Estimated milestones*
Shipping on desktop
134
DevTrial on desktop
134
Shipping on Android
134
DevTrial on Android
134
Shipping on WebView
134
*Anticipated spec changes*
/Open questions about a feature may be a source of future web compat
or interop issues. Please list open issues (e.g. links to known github
issues in the project for the feature specification) whose resolution
may introduce web compat/interop risk (e.g., changing to naming or
structure of the API in a non-backward-compatible way)./
None
*Link to entry on the Chrome Platform Status*
https://chromestatus.com/feature/5177205656911872?gate=5108732671033344
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4740bf27-9e03-4bc0-b236-9ec9e674d6f4%40chromium.org.
