Sounds good - thanks for the explanation.
LGTM1
On 5/21/25 12:35 PM, Liang Zhao (REDMOND) wrote:
Most exception handlers just eat the exception, some output some not
supported message. A few try to fallback to data: url, and if that
still throws, some just eats the exception (output not support
message) and other seems to mark inline service worker as not
supported. Don’t see that how that not supported mark was used. It
seems to me that the most direct impact of the exception handlers is
to allow code after it to continue.
Liang
*From:*Mike Taylor <miketa...@chromium.org>
*Sent:* Wednesday, May 21, 2025 5:51 AM
*To:* Liang Zhao (REDMOND) <liang.z...@microsoft.com>; blink-dev
<blink-dev@chromium.org>
*Cc:* Philip Jägenstedt <foo...@chromium.org>; lzhao via Chromestatus
<admin+lz...@cr-status.appspotmail.com>
*Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error
event instead of throwing for CSP blocked worker
Thank you for doing this work! One small question below, but this
generally seems like it will be safe to land.
On 5/20/25 6:45 PM, 'Liang Zhao (REDMOND)' via blink-dev wrote:
An update.
https://chromestatus.com/metrics/feature/timeline/popularity/5356
now has list of urls. I’ve tested those 110 urls and some sites
collected by Edge and no change of behavior was observed.
A few sites closed the connection and could not be tested and some
sites request login and could only do very limited testing. For
what I could test, no site behavior change was observed.
Observations:
1. Almost all blocked worker urls are blob: urls. Comments on one
site probably explains why blob: urls are used: only same
origin worker url is allowed, to workaround this restriction,
for script libs hosted in their own site including cdn, the
libs create a blob url for the remote worker script and then
use that blob to create worker. As the script from the lib
runs in the host page’s origin, blob is created with the
hosting page’s origin and worker creation is allowed, except
when CSP blocks it.
2. Most blocked worker creation are related to “libs”. For
example, WordPress’s wpTestEmojiSupports worker accounts for
40 of the 110 urls, even https://devblogs.microsoft.com/ hits
this. And crazyegg.com’s script accounts for 7 of the urls.
3. This is indeed a meaningful behavior change to the scripts.
Most of scripts has exception handlers, and only a few has
error event handler or use timeout for message from worker to
detect error (crazyegg uses timeout). However, most of the
exception handlers doesn’t really do much.
Could you clarify what "doesn't... do much" means?
4.
5. I also loaded 2 sites into Firefox and didn’t see site payload
different from Edge or Chrome.
Liang
*From:*'Liang Zhao' via blink-dev <blink-dev@chromium.org>
<mailto:blink-dev@chromium.org>
*Sent:* Friday, May 9, 2025 2:09 PM
*To:* blink-dev <blink-dev@chromium.org>
<mailto:blink-dev@chromium.org>
*Cc:* Philip Jägenstedt <foo...@chromium.org>
<mailto:foo...@chromium.org>; blin...@chromium.org
<blink-dev@chromium.org> <mailto:blink-dev@chromium.org>; lzhao
via Chromestatus <admin+lz...@cr-status.appspotmail.com>
<mailto:admin+lz...@cr-status.appspotmail.com>
*Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error
event instead of throwing for CSP blocked worker
Thanks for taking another look at this. Will wait for a month to
see whether we could get a list of URLs that hit the scenario to
check them.
The behavior (return a worker object and later firing an error
event on it) already happen when loading the script failed. That
is actually what CSP trying to simulate when blocking it, as if we
failed to fetch the script.
On Wednesday, May 7, 2025 at 8:21:15 AM UTC-7 Philip Jägenstedt wrote:
Hi Liang,
https://chromestatus.com/metrics/feature/timeline/popularity/5356
is already somewhat high, but it is also an upper bound on the
risk and probably not reflective of how many sites will be
broken. Looking at a sample of sites that hit the use counter
and seeing what the impact of the change is would be very
helpful. If this isn't urgent, you could wait until there are
example sites listed on chromestatus.com
<http://chromestatus.com/>, or get a list of sites from Edge's
UKM data. With a list of sites, checking ~20 of them at random
and reporting your findings should be enough to make a call on
this.
Also, does the new behavior (returning a Worker object and
later firing an error event on it) already happen for some
other kind of error, so that it's likely already handled? That
would also reduce the risk here.
Best regards,
Philip
On Tue, May 6, 2025 at 1:34 AM lzhao via Chromestatus
<admin...@cr-status.appspotmail.com> wrote:
Added telemetry data as siggested for the scenario and
data can be viewed at
https://chromestatus.com/metrics/feature/timeline/popularity/5356.
There are some hits, but no hits for top sites. And Safari
has also shipped the behavior change.
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/62d11d09-5adc-4447-a35e-df01b1c2e288%40chromium.org.
