LGTM3. Thanks for your patient work on this! On Thu, May 22, 2025 at 6:26 AM 'Dan Clark' via blink-dev < blink-dev@chromium.org> wrote:
> LGTM2 > > On Wednesday, May 21, 2025 at 11:29:13 AM UTC-7 mike...@chromium.org > wrote: > >> Sounds good - thanks for the explanation. >> >> LGTM1 >> On 5/21/25 12:35 PM, Liang Zhao (REDMOND) wrote: >> >> Most exception handlers just eat the exception, some output some not >> supported message. A few try to fallback to data: url, and if that still >> throws, some just eats the exception (output not support message) and other >> seems to mark inline service worker as not supported. Don’t see that how >> that not supported mark was used. It seems to me that the most direct >> impact of the exception handlers is to allow code after it to continue. >> >> >> >> Liang >> >> >> >> *From:* Mike Taylor <mike...@chromium.org> >> *Sent:* Wednesday, May 21, 2025 5:51 AM >> *To:* Liang Zhao (REDMOND) <liang...@microsoft.com>; blink-dev >> <blin...@chromium.org> >> *Cc:* Philip Jägenstedt <foo...@chromium.org>; lzhao via Chromestatus >> <admin...@cr-status.appspotmail.com> >> *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error >> event instead of throwing for CSP blocked worker >> >> >> >> Thank you for doing this work! One small question below, but this >> generally seems like it will be safe to land. >> >> On 5/20/25 6:45 PM, 'Liang Zhao (REDMOND)' via blink-dev wrote: >> >> An update. >> https://chromestatus.com/metrics/feature/timeline/popularity/5356 now >> has list of urls. I’ve tested those 110 urls and some sites collected by >> Edge and no change of behavior was observed. >> >> >> >> A few sites closed the connection and could not be tested and some sites >> request login and could only do very limited testing. For what I could >> test, no site behavior change was observed. >> >> >> >> Observations: >> >> 1. Almost all blocked worker urls are blob: urls. Comments on one >> site probably explains why blob: urls are used: only same origin worker >> url >> is allowed, to workaround this restriction, for script libs hosted in >> their >> own site including cdn, the libs create a blob url for the remote worker >> script and then use that blob to create worker. As the script from the lib >> runs in the host page’s origin, blob is created with the hosting page’s >> origin and worker creation is allowed, except when CSP blocks it. >> 2. Most blocked worker creation are related to “libs”. For example, >> WordPress’s wpTestEmojiSupports worker accounts for 40 of the 110 urls, >> even https://devblogs.microsoft.com/ hits this. And crazyegg.com’s >> script accounts for 7 of the urls. >> 3. This is indeed a meaningful behavior change to the scripts. Most >> of scripts has exception handlers, and only a few has error event handler >> or use timeout for message from worker to detect error (crazyegg uses >> timeout). However, most of the exception handlers doesn’t really do much. >> >> Could you clarify what "doesn't... do much" means? >> >> >> 4. >> 5. I also loaded 2 sites into Firefox and didn’t see site payload >> different from Edge or Chrome. >> >> >> >> Liang >> >> >> >> *From:* 'Liang Zhao' via blink-dev <blin...@chromium.org> >> *Sent:* Friday, May 9, 2025 2:09 PM >> *To:* blink-dev <blin...@chromium.org> >> *Cc:* Philip Jägenstedt <foo...@chromium.org>; blin...@chromium.org >> <blin...@chromium.org>; lzhao via Chromestatus >> <admin...@cr-status.appspotmail.com> >> *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error event >> instead of throwing for CSP blocked worker >> >> >> >> Thanks for taking another look at this. Will wait for a month to see >> whether we could get a list of URLs that hit the scenario to check them. >> >> >> >> The behavior (return a worker object and later firing an error event on >> it) already happen when loading the script failed. That is actually what >> CSP trying to simulate when blocking it, as if we failed to fetch the >> script. >> >> On Wednesday, May 7, 2025 at 8:21:15 AM UTC-7 Philip Jägenstedt wrote: >> >> Hi Liang, >> >> >> >> https://chromestatus.com/metrics/feature/timeline/popularity/5356 is >> already somewhat high, but it is also an upper bound on the risk and >> probably not reflective of how many sites will be broken. Looking at a >> sample of sites that hit the use counter and seeing what the impact of the >> change is would be very helpful. If this isn't urgent, you could wait until >> there are example sites listed on chromestatus.com, or get a list of >> sites from Edge's UKM data. With a list of sites, checking ~20 of them at >> random and reporting your findings should be enough to make a call on this. >> >> >> >> Also, does the new behavior (returning a Worker object and later firing >> an error event on it) already happen for some other kind of error, so that >> it's likely already handled? That would also reduce the risk here. >> >> >> >> Best regards, >> >> Philip >> >> >> >> On Tue, May 6, 2025 at 1:34 AM lzhao via Chromestatus < >> admin...@cr-status.appspotmail.com> wrote: >> >> Added telemetry data as siggested for the scenario and data can be viewed >> at https://chromestatus.com/metrics/feature/timeline/popularity/5356. >> There are some hits, but no hits for top sites. And Safari has also shipped >> the behavior change. >> >> -- >> >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer> >> . >> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d0e119ef-dfb2-4aa4-83cd-4688e1932af8n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d0e119ef-dfb2-4aa4-83cd-4688e1932af8n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_kqVtgwo1L9MZHdwO57e70NThdnYk93izhPTD%3DAVx_GQ%40mail.gmail.com.
