Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a few cases to preload SRI #33326

Merged
merged 4 commits into from
Mar 29, 2022
Merged

Add a few cases to preload SRI #33326

merged 4 commits into from
Mar 29, 2022

Conversation

noamr
Copy link
Contributor

@noamr noamr commented Mar 23, 2022

  1. preload without SRI, resource with matching SRI
  2. Both preload and resource with matching SRI, but different algorithm

These two cases don't show the same results across browsers.

  • In Chromium both would not reuse the preload
  • In WebKit they both reuse the preload
  • In Gecko the first one does not reuse and the second one does.

Note that in webkit most of the tests in this file currently fail, WebKit does not perform SRI matching on preload/consume.

The test results in this PR match chromium, but they are not necessarily "correct".

@noamr noamr requested review from yoavweiss and domfarolino March 23, 2022 15:05
Copy link
Contributor

@yoavweiss yoavweiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@noamr
Copy link
Contributor Author

noamr commented Mar 23, 2022

LGTM

Thanks! I want to reach a consensus on whatwg/fetch#1418 before merging.

@noamr noamr changed the title Add two cases to preload SRI Add a few cases to preload SRI Mar 23, 2022
@wpt-pr-bot wpt-pr-bot requested a review from snuggs March 23, 2022 16:10
See whatwg/html#7655

When loading video from multiple opaque origins (by a middleman service-worker),
video loading should fail rather than be alllowed and taint the canvas.

That's because some of the video responses may contain metadata such as duration that
would leak to the subsequent requests.

See whatwg/html#2814 (comment) for further details.

This change makes the test case pass in all browsers.
@noamr noamr closed this Mar 25, 2022
@noamr noamr reopened this Mar 25, 2022
@noamr noamr merged commit 6a214e8 into master Mar 29, 2022
@noamr noamr deleted the preload-sri branch March 29, 2022 14:14
SRIPreloadTest(
true,
false,
`Same-origin ${destination} with non-matching digest reuses preload with no digest but fails.`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"does not reuse preload"? (as Line 350 is "2")

@hiroshige-g
Copy link
Contributor

sorry for delay, LGTM (with a minor comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants