Thank you for doing this work! One small question below, but this
generally seems like it will be safe to land.
On 5/20/25 6:45 PM, 'Liang Zhao (REDMOND)' via blink-dev wrote:
An update.
https://chromestatus.com/metrics/feature/timeline/popularity/5356 now
has list of urls. I’ve tested those 110 urls and some sites collected
by Edge and no change of behavior was observed.
A few sites closed the connection and could not be tested and some
sites request login and could only do very limited testing. For what I
could test, no site behavior change was observed.
Observations:
* Almost all blocked worker urls are blob: urls. Comments on one
site probably explains why blob: urls are used: only same origin
worker url is allowed, to workaround this restriction, for script
libs hosted in their own site including cdn, the libs create a
blob url for the remote worker script and then use that blob to
create worker. As the script from the lib runs in the host page’s
origin, blob is created with the hosting page’s origin and worker
creation is allowed, except when CSP blocks it.
* Most blocked worker creation are related to “libs”. For example,
WordPress’s wpTestEmojiSupports worker accounts for 40 of the 110
urls, even https://devblogs.microsoft.com/ hits this. And
crazyegg.com’s script accounts for 7 of the urls.
* This is indeed a meaningful behavior change to the scripts. Most
of scripts has exception handlers, and only a few has error event
handler or use timeout for message from worker to detect error
(crazyegg uses timeout). However, most of the exception handlers
doesn’t really do much.
Could you clarify what "doesn't... do much" means?
*
* I also loaded 2 sites into Firefox and didn’t see site payload
different from Edge or Chrome.
Liang
*From:*'Liang Zhao' via blink-dev <blink-dev@chromium.org>
*Sent:* Friday, May 9, 2025 2:09 PM
*To:* blink-dev <blink-dev@chromium.org>
*Cc:* Philip Jägenstedt <foo...@chromium.org>; blin...@chromium.org
<blink-dev@chromium.org>; lzhao via Chromestatus
<admin+lz...@cr-status.appspotmail.com>
*Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error event
instead of throwing for CSP blocked worker
Thanks for taking another look at this. Will wait for a month to see
whether we could get a list of URLs that hit the scenario to check them.
The behavior (return a worker object and later firing an error event
on it) already happen when loading the script failed. That is actually
what CSP trying to simulate when blocking it, as if we failed to fetch
the script.
On Wednesday, May 7, 2025 at 8:21:15 AM UTC-7 Philip Jägenstedt wrote:
Hi Liang,
https://chromestatus.com/metrics/feature/timeline/popularity/5356
is already somewhat high, but it is also an upper bound on the
risk and probably not reflective of how many sites will be broken.
Looking at a sample of sites that hit the use counter and seeing
what the impact of the change is would be very helpful. If this
isn't urgent, you could wait until there are example sites listed
on chromestatus.com <http://chromestatus.com/>, or get a list of
sites from Edge's UKM data. With a list of sites, checking ~20 of
them at random and reporting your findings should be enough to
make a call on this.
Also, does the new behavior (returning a Worker object and later
firing an error event on it) already happen for some other kind of
error, so that it's likely already handled? That would also reduce
the risk here.
Best regards,
Philip
On Tue, May 6, 2025 at 1:34 AM lzhao via Chromestatus
<admin...@cr-status.appspotmail.com> wrote:
Added telemetry data as siggested for the scenario and data
can be viewed at
https://chromestatus.com/metrics/feature/timeline/popularity/5356.
There are some hits, but no hits for top sites. And Safari has
also shipped the behavior change.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0411c2bf-25f1-4620-9d24-9fc696871c07%40chromium.org.
