LGTM2 On Wednesday, May 21, 2025 at 11:29:13 AM UTC-7 mike...@chromium.org wrote:
> Sounds good - thanks for the explanation. > > LGTM1 > On 5/21/25 12:35 PM, Liang Zhao (REDMOND) wrote: > > Most exception handlers just eat the exception, some output some not > supported message. A few try to fallback to data: url, and if that still > throws, some just eats the exception (output not support message) and other > seems to mark inline service worker as not supported. Don’t see that how > that not supported mark was used. It seems to me that the most direct > impact of the exception handlers is to allow code after it to continue. > > > > Liang > > > > *From:* Mike Taylor <mike...@chromium.org> > *Sent:* Wednesday, May 21, 2025 5:51 AM > *To:* Liang Zhao (REDMOND) <liang...@microsoft.com>; blink-dev > <blin...@chromium.org> > *Cc:* Philip Jägenstedt <foo...@chromium.org>; lzhao via Chromestatus > <admin...@cr-status.appspotmail.com> > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error > event instead of throwing for CSP blocked worker > > > > Thank you for doing this work! One small question below, but this > generally seems like it will be safe to land. > > On 5/20/25 6:45 PM, 'Liang Zhao (REDMOND)' via blink-dev wrote: > > An update. > https://chromestatus.com/metrics/feature/timeline/popularity/5356 now has > list of urls. I’ve tested those 110 urls and some sites collected by Edge > and no change of behavior was observed. > > > > A few sites closed the connection and could not be tested and some sites > request login and could only do very limited testing. For what I could > test, no site behavior change was observed. > > > > Observations: > > 1. Almost all blocked worker urls are blob: urls. Comments on one site > probably explains why blob: urls are used: only same origin worker url is > allowed, to workaround this restriction, for script libs hosted in their > own site including cdn, the libs create a blob url for the remote worker > script and then use that blob to create worker. As the script from the lib > runs in the host page’s origin, blob is created with the hosting page’s > origin and worker creation is allowed, except when CSP blocks it. > 2. Most blocked worker creation are related to “libs”. For example, > WordPress’s wpTestEmojiSupports worker accounts for 40 of the 110 urls, > even https://devblogs.microsoft.com/ hits this. And crazyegg.com’s > script accounts for 7 of the urls. > 3. This is indeed a meaningful behavior change to the scripts. Most of > scripts has exception handlers, and only a few has error event handler or > use timeout for message from worker to detect error (crazyegg uses > timeout). However, most of the exception handlers doesn’t really do much. > > Could you clarify what "doesn't... do much" means? > > > 4. > 5. I also loaded 2 sites into Firefox and didn’t see site payload > different from Edge or Chrome. > > > > Liang > > > > *From:* 'Liang Zhao' via blink-dev <blin...@chromium.org> > *Sent:* Friday, May 9, 2025 2:09 PM > *To:* blink-dev <blin...@chromium.org> > *Cc:* Philip Jägenstedt <foo...@chromium.org>; blin...@chromium.org > <blin...@chromium.org>; lzhao via Chromestatus > <admin...@cr-status.appspotmail.com> > *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Fire error event > instead of throwing for CSP blocked worker > > > > Thanks for taking another look at this. Will wait for a month to see > whether we could get a list of URLs that hit the scenario to check them. > > > > The behavior (return a worker object and later firing an error event on > it) already happen when loading the script failed. That is actually what > CSP trying to simulate when blocking it, as if we failed to fetch the > script. > > On Wednesday, May 7, 2025 at 8:21:15 AM UTC-7 Philip Jägenstedt wrote: > > Hi Liang, > > > > https://chromestatus.com/metrics/feature/timeline/popularity/5356 is > already somewhat high, but it is also an upper bound on the risk and > probably not reflective of how many sites will be broken. Looking at a > sample of sites that hit the use counter and seeing what the impact of the > change is would be very helpful. If this isn't urgent, you could wait until > there are example sites listed on chromestatus.com, or get a list of > sites from Edge's UKM data. With a list of sites, checking ~20 of them at > random and reporting your findings should be enough to make a call on this. > > > > Also, does the new behavior (returning a Worker object and later firing an > error event on it) already happen for some other kind of error, so that > it's likely already handled? That would also reduce the risk here. > > > > Best regards, > > Philip > > > > On Tue, May 6, 2025 at 1:34 AM lzhao via Chromestatus < > admin...@cr-status.appspotmail.com> wrote: > > Added telemetry data as siggested for the scenario and data can be viewed > at https://chromestatus.com/metrics/feature/timeline/popularity/5356. > There are some hits, but no hits for top sites. And Safari has also shipped > the behavior change. > > -- > > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+...@chromium.org. > > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com > > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68194b11.170a0220.4750a.00de.GAE%40google.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org > > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eacc0c6a-c89f-4eab-8d1f-3d084967db7fn%40chromium.org?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com > > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SA6PR00MB22949F1B4952977C83E5A3C99E9FA%40SA6PR00MB2294.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d0e119ef-dfb2-4aa4-83cd-4688e1932af8n%40chromium.org.
