Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fire error event instead of throwing exception for CSP blocked worker constructor #451

Open
LiangTheDev opened this issue Jan 17, 2025 · 1 comment
Open

Fire error event instead of throwing exception for CSP blocked worker constructor #451

LiangTheDev opened this issue Jan 17, 2025 · 1 comment

Comments

@LiangTheDev
Copy link

WebKittens

No response

Title of the proposal

Fire error event instead of throwing exception for CSP blocked worker constructor

URL to the spec

https://www.w3.org/TR/CSP3/#fetch-integration

URL to the spec's repository

No response

Issue Tracker URL

No response

Explainer URL

No response

TAG Design Review URL

No response

Mozilla standards-positions issue URL

No response

WebKit Bugzilla URL

No response

Radar URL

No response

Description

When blocked by Content Security Policy, Safari and Chromium currently throws SecurityError from constructor when new Worker(url) and new SharedWorker(url) is run. However, spec requires CSP to be checked as part of fetch which happens asynchronously. So the correct behavior should be not throw exception in Worker and SharedWorker constructor, but instead fire error event, which Firefox is currently doing.

There are WPT tests that are testing the behavior of CSP blocked worker. However the test code currently wrongly expects the SecurityError exception. There is a TODO comment in the test code linking to https://crbug.com/663298 indicating that the tests should be updated. See https://github.com/web-platform-tests/wpt/blob/109d4a64f757cc6689e7050f1cea59a2c1823eca/content-security-policy/support/testharness-helper.js#L100-L104 and https://github.com/web-platform-tests/wpt/blob/109d4a64f757cc6689e7050f1cea59a2c1823eca/content-security-policy/support/testharness-helper.js#L119-L123. The tests are https://wpt.fyi/results/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned and
https://wpt.fyi/results/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html?label=experimental&label=master&aligned.

We intent to change Chromium's behavior to be aligned with the spec and update the test code.
@annevk
Copy link
Contributor

annevk commented Jan 17, 2025

I guess with the usual web compatibility caveats this seems worth trying. Having each endpoint be responsible for CSP integration was never a great design so if we can move away from that we should.

As such I suggest we mark this as position: support one week from now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@annevk @LiangTheDev