An update. https://chromestatus.com/metrics/feature/timeline/popularity/5356 now has list of urls. I’ve tested those 110 urls and some sites collected by Edge and no change of behavior was observed.
A few sites closed the connection and could not be tested and some sites request login and could only do very limited testing. For what I could test, no site behavior change was observed. Observations: * Almost all blocked worker urls are blob: urls. Comments on one site probably explains why blob: urls are used: only same origin worker url is allowed, to workaround this restriction, for script libs hosted in their own site including cdn, the libs create a blob url for the remote worker script and then use that blob to create worker. As the script from the lib runs in the host page’s origin, blob is created with the hosting page’s origin and worker creation is allowed, except when CSP blocks it. * Most blocked worker creation are related to “libs”. For example, WordPress’s wpTestEmojiSupports worker accounts for 40 of the 110 urls, even https://devblogs.microsoft.com/ hits this. And crazyegg.com’s script accounts for 7 of the urls. * This is indeed a meaningful behavior change to the scripts. Most of scripts has exception handlers, and only a few has error event handler or use timeout for message from worker to detect error (crazyegg uses timeout). However, most of the exception handlers doesn’t really do much. * I also loaded 2 sites into Firefox and didn’t see site payload different from Edge or Chrome. Liang From: 'Liang Zhao' via blink-dev <blink-dev@chromium.org> Sent: Friday, May 9, 2025 2:09 PM To: blink-dev <blink-dev@chromium.org> Cc: Philip Jägenstedt <foo...@chromium.org>; blin...@chromium.org <blink-dev@chromium.org>; lzhao via Chromestatus <admin+lz...@cr-status.appspotmail.com> Subject: [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error event instead of throwing for CSP blocked worker Thanks for taking another look at this. Will wait for a month to see whether we could get a list of URLs that hit the scenario to check them. The behavior (return a worker object and later firing an error event on it) already happen when loading the script failed. That is actually what CSP trying to simulate when blocking it, as if we failed to fetch the script. On Wednesday, May 7, 2025 at 8:21:15 AM UTC-7 Philip Jägenstedt wrote: Hi Liang, https://chromestatus.com/metrics/feature/timeline/popularity/5356 is already somewhat high, but it is also an upper bound on the risk and probably not reflective of how many sites will be broken. Looking at a sample of sites that hit the use counter and seeing what the impact of the change is would be very helpful. If this isn't urgent, you could wait until there are example sites listed on chromestatus.com<http://chromestatus.com/>, or get a list of sites from Edge's UKM data. With a list of sites, checking ~20 of them at random and reporting your findings should be enough to make a call on this. Also, does the new behavior (returning a Worker object and later firing an error event on it) already happen for some other kind of error, so that it's likely already handled? That would also reduce the risk here. Best regards, Philip On Tue, May 6, 2025 at 1:34 AM lzhao via Chromestatus <admin...@cr-status.appspotmail.com> wrote: Added telemetry data as siggested for the scenario and data can be viewed at https://chromestatus.com/metrics/feature/timeline/popularity/5356. There are some hits, but no hits for top sites. And Safari has also shipped the behavior change. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org<mailto:blink-dev+unsubscr...@chromium.org>. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com.
