Closed Bug 1623916 Opened 5 years ago Closed 5 years ago

Restrict strictly enforcing MIME checks for Worker scripts to early beta or earlier

Categories

(Core :: DOM: Security, task, P1)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox75 + fixed
firefox76 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Keywords: site-compat, Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1623916: Restrict strictly enforcing MIME checks for Worker scripts to early beta or earlier. r=sdetar
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review

There are some concerns around shipping that restriction in FF75. For now, let's disable in 75 and potentially do some telemetry around mime type checking on worker scripts.

Tom, it seems folks are concerned about breakage. Probably we should do some telemetry and then re-enable. Any chance you are willing to file a follow up and take that on?

Flags: needinfo?(evilpies)

Are these concerns actually based on any practical observations or data?
If we look at SCRIPT_BLOCK_INCORRECT_MIME_3 for beta, we see worker_load - 98.55k (0%), but importScript_load 911.62k (0.01%). We are already blocking importScripts.

Flags: needinfo?(evilpies)
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/a24063d376c0 Restrict strictly enforcing MIME checks for Worker scripts to early beta or earlier. r=baku

(In reply to Tom Schuster [:evilpie] from comment #3)

Are these concerns actually based on any practical observations or data?

I would say they're based on an abundance of caution. Do we have telemetry showing how many scripts we'd block in release?

[Tracking Requested - why for this release]: Julien, how do you feel about keeping this on <= beta for 75?

tracking-firefox75: --- → ?
Priority: -- → P1

I guess there is more important stuff to worry about. Domenic created this PR: https://github.com/whatwg/html/pull/5302. I think we can just wait for implementer feedback from other browsers on that.

Keywords: site-compat

https://hg.mozilla.org/mozilla-central/rev/a24063d376c0

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox76: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
See Also: → 1569123

Please request uplift to beta when you get a chance.

Flags: needinfo?(ckerschb)

Comment on attachment 9134697 [details]
Bug 1623916: Restrict strictly enforcing MIME checks for Worker scripts to early beta or earlier. r=sdetar

Beta/Release Uplift Approval Request

  • User impact if declined: Worker scripts not using the correct mime type will be blocked which might downgrade a users experience because certain script is not executed.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: Bug 1624113
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The uplift request is simply to flip the introduced pref to false which will allow worker scripts to execute even if they are not shipped using the correct mime type.
  • String changes made/needed: no
Flags: needinfo?(ckerschb)
Attachment #9134697 - Flags: approval-mozilla-beta?

Comment on attachment 9134697 [details]
Bug 1623916: Restrict strictly enforcing MIME checks for Worker scripts to early beta or earlier. r=sdetar

approved for 75.0b8

Attachment #9134697 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: