Adapt to Fetch's data URL changes #1782
Conversation
annevk
added
topic: fetch
compat
|
LGTM (after #1782 lands). Would be nice to either write some WPTs or file a bug with suggestions on what sort of tests to write. |
annevk
changed the title
| <li><p>If <var>is shared</var> is true and <var>url</var>'s <span | ||
| data-x="concept-url-scheme">scheme</span> is "<code>data</code>", then <span>queue a task</span> | ||
| to <span>fire a simple event</span> named <code data-x="event-error">error</code> at | ||
| <var>worker</var>, and abort these steps.</p></li> | ||
|
|
||
| <li id="worker-processing-model-top"> |
There was a problem hiding this comment.
Nit: Probably move this ID up to the new first item (or the ol?)
There was a problem hiding this comment.
I guess that's fine, I wonder who uses that ID...
| @@ -97025,6 +97029,11 @@ interface <dfn>AbstractWorker</dfn> { | |||
| <li><p>Let <var>worker global scope</var> be <var>realm</var>'s <span | |||
| data-x="concept-realm-global">global object</span>.</p></li> | |||
|
|
|||
| <li><p>Let <var>origin</var> be an <span data-x="concept-origin-opaque">opaque origin</span> if | |||
There was a problem hiding this comment.
In https://html.spec.whatwg.org/#concept-origin-opaque, Document objects are assigned "a unique opaque origin". Probably best to remain consistent with that "unique" usage.
| data-x="blob protocol">blob:</code> URLs.</p> | ||
| <p class="note">Any <span data-x="same origin">same-origin</span> URL, including <code | ||
| data-x="blob protocol">blob:</code> URLs, and any <code data-x="data protocol">data:</code> URL | ||
| works.</p> |
| data-x="blob protocol">blob:</code> URLs.</p> | ||
| <p class="note">Any <span data-x="same origin">same-origin</span> URL, including <code | ||
| data-x="blob protocol">blob:</code> URLs, works. <code data-x="data protocol">data:</code> URLs | ||
| do not work.</p> |
By-and-large browsers treat data URLs as same-origin, though there are some inconsistencies. This change will treat all data URLs, regardless of origin, as same-origin from the perspective of Fetch. HTML already assigns a unique opague origin to documents created from a data URL and the plan of record is to do so for dedicated workers too. HTML will likely also forbid shared workers to be created from data URLs. See whatwg/html#1782 for the proposed changes to HTML. (This has not landed yet, if that PR is tweaked further the note added here might need some tweaks.) Service workers already prevent anything but HTTP(S) URLs from creating them. Fixes #381.
|
It seems that given #1243 (comment) we might want to also make this work for shared workers after all. It would require an additional origin slot I think, or something better I have not thought of. All that is pending approval from Chrome so marking this red. |
annevk
added
the
do not merge yet
annevk
force-pushed
the
remove-same-origin-data-url-flag
branch
2 times, most recently
from
14d1e7a to
7434119
Compare
|
I discussed this with @mikewest again and he's fine with the Firefox model as that allows introducing opaque origin workers going forward even without the use of data URLs. (We could maybe say that for module workers, data URLs are same-origin, but I'm not sure if we want to go there. But technically the concern that we have with classic workers doesn't apply there.) The main remaining problem with this patch is that cf0355d badly regressed setting state on Basically wherever we decide setting that state, we should also set constructor origin. That would make everything work and it's not even that much additional complexity. |
cf0355d regressed setting up a SharedWorkerGlobalScope by removing the steps that set its constructor url and name. This was noticed in #1782 (comment).
|
Think I fixed that in #1858; unassigning from me. Reassign if you want me to actually review this PR :) |
|
Yeah, I'd like review from you both I think. I realize there's a little bit of rebasing that needs to be done, but I'd rather wait with that until #1858 lands and I think this can be reviewed in quite some detail already. |
cf0355d regressed setting up a SharedWorkerGlobalScope by removing the steps that set its constructor url and name. This was noticed in #1782 (comment). This also changes the constructor url from a string to a URL record, for consistency with other URLs stored on objects throughout the spec.
| @@ -97073,6 +97070,12 @@ interface <dfn>AbstractWorker</dfn> { | |||
| <li><p>Let <var>worker global scope</var> be <var>realm</var>'s <span | |||
| data-x="concept-realm-global">global object</span>.</p></li> | |||
|
|
|||
| <li><p>Let <var>origin</var> be a unique <span | |||
There was a problem hiding this comment.
It wouldn't impact anything normative, but I think you could inline this algorithm into the origin "getter" below instead of creating a variable for it.
| data-x="blob protocol">blob:</code> URLs.</p> | ||
| <p class="note">Any <span data-x="same origin">same-origin</span> URL, including <code | ||
| data-x="blob protocol">blob:</code> URLs, and any <code data-x="data protocol">data:</code> URL | ||
| can be used.</p> |
There was a problem hiding this comment.
Phrasing is awkward, hmm.
"Any same-origin URL (including blob: URLs) can be used; data: URLs will also work, despite not being same-origin"?
(Here and below, whatever we end up on.)
| data-x="concept-SharedWorkerGlobalScope-constructor-url">constructor url</span> is | ||
| <var>urlString</var>, and <span data-x="concept-SharedWorkerGlobalScope-name">name</span> is | ||
| <var>name</var>, then set <var>worker global scope</var> to that | ||
| <code>SharedWorkerGlobalScope</code> object.</p></li> |
There was a problem hiding this comment.
I think that we should add a note here that explains how it's possible for constructor url to be equal but constructor origin to be different. Something like: "The reason we compare both constructor url and constructor origin is that data: URLs cause the created worker settings object to have a unique opaque origin, instead of one derived from the constructor url. This ensures that using the same data: URL multiple times creates separate SharedWorkerGlobalScope instances, as desired." (Hope I got that right...)
There was a problem hiding this comment.
That's not quite right. The same data URL can be used to get the same instance, but we don't want to allow that across documents of different origins. Therefore we store the origin of the constructor. So only if the constructor origin is same-origin can the URL be equal.
cf0355d regressed setting up a SharedWorkerGlobalScope by removing the steps that set its constructor url and name. This was noticed in #1782 (comment). This also changes the constructor url from a string to a URL record, for consistency with other URLs stored on objects throughout the spec.
annevk
force-pushed
the
remove-same-origin-data-url-flag
branch
from
dde4386 to
07b2fc7
Compare
|
@zcorpan do you know if data URLs are already tested? Is the top-level workers/ directory the only place where we have tests? (I guess it's not part of html/ due to forks?) I also found stuff is wrong, e.g., https://github.com/w3c/web-platform-tests/blob/master/workers/constructors/SharedWorker/URLMismatchError.htm tests for a "URLMismatchError" which if I recall correctly we removed some time ago. |
| can be used.</p> | ||
| <p class="note">Any <span data-x="same origin">same-origin</span> URL (including <code | ||
| data-x="blob protocol">blob:</code> URLs) can be used. <code data-x="data protocol">data:</code> | ||
| URLs can also be used, but create a worker with an <span data-x="concept-opaque-origin">opaque |
There was a problem hiding this comment.
Nit: "but they create" instead of "but create"; both are correct but the former reads a bit easier. Here and below.
domenic
added
needs tests
Provide basic tests for whatwg/html#1782.
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
Fixes #1243. Basically, data URLs create (shared) workers that have a unique opaque origin.
annevk
force-pushed
the
remove-same-origin-data-url-flag
branch
from
19272bd to
d1088a2
Compare
Basic test for whatwg/html#1782.
See whatwg/html#1782 for pointers to more context.
|
I added some tests. This can be landed through "rebase and merge" imo. |
domenic
removed
the
needs tests
|
For posterity and tracking purposes, the tests
Do @bzbarsky or @mikewest want to help review those? I hope we can get them merged sooner rather than later; letting tests languish is a bad failure mode for this more-tests push. (/cc @foolip) |
Since #387 landed HTML’s change in whatwg/html#1782 was adjusted a bit for shared workers.
|
I've taken a look at the tests, but would really like @mikewest to do so as well. |
Basic test for whatwg/html#1782.
See whatwg/html#1782 for pointers to more context.
Provide basic tests for whatwg/html#1782.
|
All three tests reviewed and merged by me, but further review wouldn't hurt. |
|
All three tests look good to me. |
cf0355d regressed setting up a SharedWorkerGlobalScope by removing the steps that set its constructor url and name. This was noticed in whatwg#1782 (comment). This also changes the constructor url from a string to a URL record, for consistency with other URLs stored on objects throughout the spec.
The change to Fetch discussed in
whatwg/fetch#381 made it obsolete.
Closes #1243, closes #1778, and closes #1779 as these are all treated
as same-origin now per the change to Fetch.