Remove navigation support for multipart/x-mixed-replace resources #1353
Conversation
As per https://bugzilla.mozilla.org/show_bug.cgi?id=1276918 this is not widely implemented (except for images). As per https://bugs.chromium.org/p/chromium/issues/detail?id=249132 the complexity of this feature is a security a concern. Coupled with it being rarely used by all accounts there’s ample reason to remove it from the HTML Standard.
|
Note that this conflicts with #1346. I've no preference on what we do first though. |
|
I'd like to hear a bit more from implementers. Right now from reading those bugs I gather the matrix is:
Although I agree that this clearly doesn't meet the bar as-is, it's possible one outcome here would be that we leave it in for images only. @bzbarsky has already commented in the Gecko bug and seems in favor of leaving it in. @cdumez, @DigiTec, as our go-to WebKit and Edge people, any thoughts on this issue? @avidrissman, I know you and one other engineer whose name I forgot were working on navigate a lot in Blink; have you run into this code? |
|
I'm new enough on nav that I haven't yet run into this. The other nav expert is @csreis. Charlie, WDYT? |
|
I don't know that I'm in favor of leaving it in per se; I just think that trying to remove it will break lots of things, so is probably not viable. :( |
|
@domenic this is specifically only about navigation where only Gecko has actual support. I need to make sure that it results in a network error though, I think, rather than just an unknown MIME type. |
|
Alternatively we render it as HTML which Edge appears to do, but seems rife with potential XSS. |
|
You can navigate to images. |
|
Relevant WebKit discussion: We decided to keep support for multipart/x-mixed-replace main resources (which I believe applies here in the context of navigation) due to certain WebCam pages that relied on it (having a MJPEG main resource). |
|
Yeah, supporting images seems good. That would still remove most of the complexity of this recursively invoking navigate though since we'd reuse the image codepath. At least, as far as I can tell. |
annevk
added
the
do not merge yet
|
I'm not familiar with this area either. Looking at https://crrev.com/152363 where it was removed, I'd suggest asking japhet@chromium.org (who knows more about DocumentLoader). Not sure what his handle is here, so I'll send him a link. |
|
Blink removed support for general multipart/x-mixed-replace navigations in https://src.chromium.org/viewvc/blink?view=revision&revision=152363 and added back in narrow support for images-as-main-resource in https://chromium.googlesource.com/chromium/src/+/3b48d99c334c370b39f041ef3a6f743faa61b426. I think restrict to images is a good tradeoff, as MJPEG seems to be the case users have cared about. |
|
Okay, so as-is this is broken. I guess I'll need to write some more tests unless anyone knows of existing test coverage? |
|
8b630f5 refined things a bit here, but I'm going to close this for now as it looks like this requires much more research that doesn't seem urgent relative to other issues. |
As per https://bugzilla.mozilla.org/show_bug.cgi?id=1276918 this is not
widely implemented (except for images). As per
https://bugs.chromium.org/p/chromium/issues/detail?id=249132 the
complexity of this feature is a security a concern. Coupled with it
being rarely used by all accounts there’s ample reason to remove it
from the HTML Standard.