Bug 192749
| Summary: | Consider strictly enforcing MIME checks for Workers. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mike West <mkwst> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | achristensen, ap, bfulgham, cdumez, d, webkit-bug-importer, wilander, youennf |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Mike West
After discussion in https://github.com/whatwg/html/issues/3255 and https://github.com/whatwg/html/pull/4001, Chrome is shipping strict MIME type checks on `importScripts()` in Chrome 71 (https://chromium-review.googlesource.com/c/chromium/src/+/1206270). Intent to Remove thread with discussion and data at https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ.
It would be lovely if y'all followed suit!
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/46889296>
Mike West
Chrome and Firefox shipped restrictions on `importScripts()` a little while back.
We're now both aiming to tighten it to `new {Shared,Service,}Worker()` as well. Perhaps y'all could weigh in, one way or another, on https://github.com/whatwg/html/issues/3255?
Brent Fulgham
On the surface this seems like a good change. We will definitely dig into this asap!
Domenic Denicola
We've now merged the second stage of this into the HTML spec: adding MIME type checks for HTTP(S) worker scripts. See https://github.com/whatwg/html/pull/5302 and the corresponding tests pull request in https://github.com/web-platform-tests/wpt/pull/24983. Firefox is shipping shortly.
data: and blob: URL workers are still not checked.
Sam Sneddon [:gsnedders]
*** This bug has been marked as a duplicate of bug 236411 ***