Updated the plan to have a new feature NoThrowForCSPBlockedWorker to control the new behavior.
On Tuesday, January 14, 2025 at 5:39:28 AM UTC-8 Stephen Chenney wrote: On Mon, Jan 13, 2025 at 5:31 PM 'Liang Zhao (REDMOND)' via blink-dev < blin...@chromium.org> wrote: *Contact emails* lz...@microsoft.com *Explainer* None *Specification* https://fetch.spec.whatwg.org/#concept-main-fetch *Summary* When blocked by CSP, Chromium currently throws SecurityError from constructor. Spec requires CSP to be checked as part of fetch and fires error event asynchronously. This aims to make Chromium spec conformant, which is not throwing during constructor and fires error event asynchronously. Does Chromium throw the exception _and_ send the event? The current Chromium behavior is throw exception only. As no worker object is returned, could not fire event on a worker object. *Blink component* Blink>SecurityFeature>ContentSecurityPolicy <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EContentSecurityPolicy%22> *TAG review* None *TAG review status* Not applicable *Risks* *Interoperability and Compatibility* Currently Firefox works as spec-ed while Safari works the same as Chrome. With the wrong test code in WPT tests, Firefox is failing the tests: https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned After updating Chrome code and WPT tests, Firefox passes the tests while Safari fails the tests. *Gecko*: Shipped/Shipping *WebKit*: No signal *Web developers*: No signals *Other signals*: This changes the behavior the same as Firefox. *WebView application risks* *Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?* *Debuggability* When worker is blocked by CSP, there is DevTools message logged about the blocking by CSP. This behavior is not changed. *Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?* Yes *Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* Yes https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned Note that the test code currently has the wrong expectation and will be updated as part of this feature work. *Flag name on about://flags* None *Finch feature name* None *Non-finch justification* This is a simple change of behavior for uncommon scenario where worker is blocked by CSP, and the changed behavior is the same as Firefox and spec aligned. It is unlikely that a site depends on the current behavior of throwing exception for blocked worker. I believe this needs a flag. While unlikely that anyone is depending on this it is not possible to be sure. In addition, I strongly advise a use counter, if possible, to see how often this code path gets hit, to verify "unlikely". That does not remove the need for a flag because not all installs report UMA data. Updated to use feature name NoThrowForCSPBlockedWorker now. FWIW, this is a scenario where the site tries to create a new Worker or SharedWorker object, but the url of the worker is blocked by its CSP, so the worker object is not created and related worker script would not run. *Requires code in //chrome?* False *Tracking bug* https://issues.chromium.org/issues/41285169 *Estimated milestones* Shipping on desktop 134 DevTrial on desktop 134 Shipping on Android 134 DevTrial on Android 134 Shipping on WebView 134 *Anticipated spec changes* *Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).* None *Link to entry on the Chrome Platform Status* https://chromestatus.com/feature/5177205656911872?gate=5108732671033344 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/927d12b0-189f-4173-b49d-f2487c0d95c9n%40chromium.org.
