Preload: only allow certain values for the as attribute
#10212
Conversation
This seems like "somebody is working on implementing it", no? |
|
I wonder if we should leave JSON off until implementers implement that? Just having it as a destination does not mean it works for preload (the whole point of this PR is to make that clear!) so I'm not sure that |
It's implemented and tested, at least in part: web-platform-tests/wpt#41665 |
|
I beg to differ: https://wpt.fyi/results/preload?label=experimental&label=master&aligned 
But I do agree having WPT is a good first start so seems the intent is to eventually support this? |
I can't tell. It says the issue is fixed, so I anticipate no more work will happen on it. But, the WPT still doesn't pass. Maybe @nicolo-ribaudo can clarify? |
|
Removed |
|
I originally added The use case for JSON is that you might want to pre-download your full JS modules graph (i.e. same use case as If we want to support it, we should also make sure that |
OK, thinking about this again, since JSON is a module-thing, it only makes sense when preloading a module graph ( |
|
Can we leave it in WPT (it's helpful to know what's NOT supported - and would have saved me writing a test case if I'd thought to look there) but change it from |
Also, |
Gotcha, makes sense. Anyway, all of that is beyond the scope of this patch. |
Done (web-platform-tests/wpt#45426) |
…b.html. In the WPT PR 41665 [1], preload-csp.sub.html was added connect-src:'none' in the CSP [2], the reason is that the json modules will use 'connect-src' as the CSP directive, see the destination "json" in [3]. However, this test calls "hasArrivedAtServer" to verify the result [4], which uses 'fetch()' API. [5] And according the CSP spec, the directive for fetch() is "connect-src" (See the empty string in [3]) Hence the change introduced in [2] causes the call to fetch() will violate the CSP restriction, and causes the test failed on all browser vendors. [6] Further check the history on the wpt.fyi in [6], we can find out all browsers started to fail since Oct.31.2023, which is also the date the PR 41665 [1] is merged into master [7]. Now back to the test itself, since preloading json modules is not allowed in previous patch D234849 [8] and whatwg PR 10212 [9], we can just simply remove the connect-src: 'none' CSP directive. [1]: #41665 [2]: 40db1c8#diff-18344ffd5be3dce2faabd52b30c10d3c7beeef3a024eac638c8e0e71b07bb7c6R2 [3]: https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request [4]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/preload-csp.sub.html#L33 [5]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/resources/preload_helper.js#L10 [6]: https://wpt.fyi/results/preload/preload-csp.sub.html?label=experimental&label=master&aligned [7]: 40db1c8 [8]: https://phabricator.services.mozilla.com/D234849 [9]: whatwg/html#10212 Differential Revision: https://phabricator.services.mozilla.com/D235314 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940382 gecko-commit: 55b5b1beb2a8901e30af5d9f6f2fb4b6122be5b8 gecko-reviewers: dom-core, farre
…viewers,valentin,farre Implement whatwg/html#10212 Disallow preloading for "json". https://html.spec.whatwg.org/#translate-a-preload-destination And add mime-type check for JSON files. Differential Revision: https://phabricator.services.mozilla.com/D234849
…preload-csp.sub.html. r=dom-core,farre In the WPT PR 41665 [1], preload-csp.sub.html was added connect-src:'none' in the CSP [2], the reason is that the json modules will use 'connect-src' as the CSP directive, see the destination "json" in [3]. However, this test calls "hasArrivedAtServer" to verify the result [4], which uses 'fetch()' API. [5] And according the CSP spec, the directive for fetch() is "connect-src" (See the empty string in [3]) Hence the change introduced in [2] causes the call to fetch() will violate the CSP restriction, and causes the test failed on all browser vendors. [6] Further check the history on the wpt.fyi in [6], we can find out all browsers started to fail since Oct.31.2023, which is also the date the PR 41665 [1] is merged into master [7]. Now back to the test itself, since preloading json modules is not allowed in previous patch D234849 [8] and whatwg PR 10212 [9], we can just simply remove the connect-src: 'none' CSP directive. [1]: web-platform-tests/wpt#41665 [2]: web-platform-tests/wpt@40db1c8#diff-18344ffd5be3dce2faabd52b30c10d3c7beeef3a024eac638c8e0e71b07bb7c6R2 [3]: https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request [4]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/preload-csp.sub.html#L33 [5]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/resources/preload_helper.js#L10 [6]: https://wpt.fyi/results/preload/preload-csp.sub.html?label=experimental&label=master&aligned [7]: web-platform-tests/wpt@40db1c8 [8]: https://phabricator.services.mozilla.com/D234849 [9]: whatwg/html#10212 Differential Revision: https://phabricator.services.mozilla.com/D235314
…viewers,valentin,farre Implement whatwg/html#10212 Disallow preloading for "json". https://html.spec.whatwg.org/#translate-a-preload-destination And add mime-type check for JSON files. Differential Revision: https://phabricator.services.mozilla.com/D234849
…preload-csp.sub.html. r=dom-core,farre In the WPT PR 41665 [1], preload-csp.sub.html was added connect-src:'none' in the CSP [2], the reason is that the json modules will use 'connect-src' as the CSP directive, see the destination "json" in [3]. However, this test calls "hasArrivedAtServer" to verify the result [4], which uses 'fetch()' API. [5] And according the CSP spec, the directive for fetch() is "connect-src" (See the empty string in [3]) Hence the change introduced in [2] causes the call to fetch() will violate the CSP restriction, and causes the test failed on all browser vendors. [6] Further check the history on the wpt.fyi in [6], we can find out all browsers started to fail since Oct.31.2023, which is also the date the PR 41665 [1] is merged into master [7]. Now back to the test itself, since preloading json modules is not allowed in previous patch D234849 [8] and whatwg PR 10212 [9], we can just simply remove the connect-src: 'none' CSP directive. [1]: web-platform-tests/wpt#41665 [2]: web-platform-tests/wpt@40db1c8#diff-18344ffd5be3dce2faabd52b30c10d3c7beeef3a024eac638c8e0e71b07bb7c6R2 [3]: https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request [4]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/preload-csp.sub.html#L33 [5]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/resources/preload_helper.js#L10 [6]: https://wpt.fyi/results/preload/preload-csp.sub.html?label=experimental&label=master&aligned [7]: web-platform-tests/wpt@40db1c8 [8]: https://phabricator.services.mozilla.com/D234849 [9]: whatwg/html#10212 Differential Revision: https://phabricator.services.mozilla.com/D235314
…b.html. In the WPT PR 41665 [1], preload-csp.sub.html was added connect-src:'none' in the CSP [2], the reason is that the json modules will use 'connect-src' as the CSP directive, see the destination "json" in [3]. However, this test calls "hasArrivedAtServer" to verify the result [4], which uses 'fetch()' API. [5] And according the CSP spec, the directive for fetch() is "connect-src" (See the empty string in [3]) Hence the change introduced in [2] causes the call to fetch() will violate the CSP restriction, and causes the test failed on all browser vendors. [6] Further check the history on the wpt.fyi in [6], we can find out all browsers started to fail since Oct.31.2023, which is also the date the PR 41665 [1] is merged into master [7]. Now back to the test itself, since preloading json modules is not allowed in previous patch D234849 [8] and whatwg PR 10212 [9], we can just simply remove the connect-src: 'none' CSP directive. [1]: #41665 [2]: 40db1c8#diff-18344ffd5be3dce2faabd52b30c10d3c7beeef3a024eac638c8e0e71b07bb7c6R2 [3]: https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request [4]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/preload-csp.sub.html#L33 [5]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/resources/preload_helper.js#L10 [6]: https://wpt.fyi/results/preload/preload-csp.sub.html?label=experimental&label=master&aligned [7]: 40db1c8 [8]: https://phabricator.services.mozilla.com/D234849 [9]: whatwg/html#10212 Differential Revision: https://phabricator.services.mozilla.com/D235314 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940382 gecko-commit: 55b5b1beb2a8901e30af5d9f6f2fb4b6122be5b8 gecko-reviewers: dom-core, farre
Closes #8332
jsonvalue which is new.(See WHATWG Working Mode: Changes for more details.)
/links.html ( diff )
/semantics.html ( diff )