Please also fill out the various reviews in your chromestatus entry (privacy, security, enterprise, debuggability, testing).
On Tue, Jan 14, 2025 at 2:43 PM 'Liang Zhao (REDMOND)' via blink-dev < blink-dev@chromium.org> wrote: > > > > > *From:* Mike Taylor <miketa...@chromium.org> > *Sent:* Tuesday, January 14, 2025 7:10 AM > *To:* Liang Zhao (REDMOND) <liang.z...@microsoft.com>; > blink-dev@chromium.org > *Cc:* hirosh...@chromium.org; mk...@chromium.org > *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error event > instead of throwing for CSP blocked worker > > > > You don't often get email from miketa...@chromium.org. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > On 1/13/25 5:19 PM, 'Liang Zhao (REDMOND)' via blink-dev wrote: > > *Contact emails* > > lz...@microsoft.com > > > > *Explainer* > > None > > > > *Specification* > > https://fetch.spec.whatwg.org/#concept-main-fetch > > > > *Summary* > > When blocked by CSP, Chromium currently throws SecurityError from > constructor. Spec requires CSP to be checked as part of fetch and fires > error event asynchronously. This aims to make Chromium spec conformant, > which is not throwing during constructor and fires error event > asynchronously. > > Which constructor? > > The constructor of Worker and SharedWorker objects. Also updated the > chromestatus so that it is clear. > > > > > > *Blink component* > > Blink>SecurityFeature>ContentSecurityPolicy > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EContentSecurityPolicy%22> > > > > *TAG review* > > None > > > > *TAG review status* > > Not applicable > > > > *Risks* > > > > > > *Interoperability and Compatibility* > > Are you able to expand on the compatibility implications for this change, > i.e., do we know if Firefox has any site breakage as a result of their > behavior? What scenarios might surprise developers who are relying on > Chrome's current behavior, etc? > > > > We are not aware of any site breakage for Firefox due to its behavior. If > a site has a worker that is blocked by CSP and has code after "new > Worker()", those code currently does not run in Chrome or Safari, but runs > in Firefox. After the change, those code would run in Chrome. > > > > Currently Firefox works as spec-ed while Safari works the same as Chrome. > With the wrong test code in WPT tests, Firefox is failing the tests: > https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > After updating Chrome code and WPT tests, Firefox passes the tests while > Safari fails the tests. > > Can you explain what you mean by wrong test code? > > The current WPT test code expects exception to throw, which is not what’s > required by the spec. The test code has a TODO comment states that the test > code is wrong with a link to https://crbug.com/663298, > > > > *Gecko*: Shipped/Shipping > > *WebKit*: No signal > > *Web developers*: No signals > > *Other signals*: This changes the behavior the same as Firefox. > > > > *WebView application risks* > > *Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications?* > > > > > > *Debuggability* > > When worker is blocked by CSP, there is DevTools message logged about the > blocking by CSP. This behavior is not changed. > > > > > > *Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?* > > Yes > > > > *Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* > > Yes > > > https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned > Note that the test code currently has the wrong expectation and will be > updated as part of this feature work. > > > > > > *Flag name on about://flags* > > None > > > > *Finch feature name* > > None > > > > *Non-finch justification* > > This is a simple change of behavior for uncommon scenario where worker is > blocked by CSP, and the changed behavior is the same as Firefox and spec > aligned. It is unlikely that a site depends on the current behavior of > throwing exception for blocked worker. > > Can we back up "it is unlikely" with some data? Absent that, I would > strongly suggest we put this behind a flag. > > Changed the plan to put this new behavior behind > NoThrowForCSPBlockedWorker feature flag. Also updated the chromestatus. > > > > > > *Requires code in //chrome?* > > False > > > > *Tracking bug* > > https://issues.chromium.org/issues/41285169 > > > > *Estimated milestones* > > Shipping on desktop > > 134 > > DevTrial on desktop > > 134 > > Shipping on Android > > 134 > > DevTrial on Android > > 134 > > Shipping on WebView > > 134 > > > > > > *Anticipated spec changes* > > *Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way).* > > None > > > > *Link to entry on the Chrome Platform Status* > > https://chromestatus.com/feature/5177205656911872?gate=5108732671033344 > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CO1PR00MB2285E0FC0FEC6768415E9F979E1F2%40CO1PR00MB2285.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/BY1PR00MB2289751B22915D40E547832F9E182%40BY1PR00MB2289.namprd00.prod.outlook.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/BY1PR00MB2289751B22915D40E547832F9E182%40BY1PR00MB2289.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_jwAAmzh%3DfrDswukofXQBZdNy%2BEkE6ynx2RQhVR5O_rQ%40mail.gmail.com.
