Add goal parameter checks to JavaScript #3205
Conversation
domenic
added
do not merge yet
|
I am -1 on this change. I think the current setup works well and I don't think this adds anything to the ecosystem. I know @annevk disagrees, but that's where we're at. In short I don't think adding this server-side configuration knob adds anything. We already have good signals on the client side and this just adds potential confusion and opportunity for conflict. Given the arguments presented so far, we are not interested in implementing this in Chrome. |
|
@domenic can you clarify
Is there a way to remove this confusion by changing something? |
|
No, I think the existence of the goal parameter causes confusion compared to the existing mechanisms of selecting classic vs. module script, and as such we should not introduce it into browsers in any way. (I.e. we should treat it like any other unknown parameter.) |
|
Then, do you feel it is not desirable for a server to be able to guard its content to be restricted to one goal of JS? Which seems to be part of @allenwb 's review in bmeck/I-D#1 |
|
Right, I don't think that's necessary, or at least we haven't seen any developer demand for it yet. |
|
If we made this goal parameter authoritative (and reject when it's wrong) browsers could more easily add optimizations throughout the loading pipeline as they no longer need out-of-band information as to what the type of the resource is. |
|
That's reasonably compelling. Are there any implementers interested in using that signal? |
|
Actually, it's not necessary to reject when it's wrong, since the browser can just de-opt if it turns out to be incorrect. |
|
A hard fail seems like better developer ergonomics. And also better for users as the de-opt won't happen with deployed code and therefore user resources are not wasted. |
|
Allowing code to be executed with the wrong goal sounds like a potential security risk. |
|
For tests, we'll need:
The language in the PR will also need to be cleaned up a bit, but would be good to hear from @whatwg/modules what they think about this first. |
|
I tried to think through the security argument. It seems that if you only have Another thing to test:
|
This adds tests regarding scripts with a speified goal parameter whatwg/html#3205 TEST=wpt/html/semantics/scripting-1/the-script-element/goal.htm
|
@annevk Put up a PR for tests. Is there anything else to do for now? |
|
@bmeck great, thanks. At this point we need to wait for implementers and the folks from @whatwg/modules to weigh in. |
|
Firefox supports making this change. |
|
@annevk to unblock this should I do anything? It has been over 1 month since I saw the comment that Firefox supports this, do I need to PR an implementation to them before this can be merged? |
|
@bmeck per https://whatwg.org/working-mode we need two interested implementers. There's also a bunch of other changes that need to be made, but I was waiting for more folks to reply before doing a more thorough review. Maybe @whatwg/security is more interested in this than @whatwg/modules? To be clear the proposal here is to add a |
This adds tests regarding scripts with a specified goal parameter whatwg/html#3205
…al parameter, a=testonly Automatic update from web-platform-testsImplement script MIME restrictions for goal parameter (#8094) This adds tests regarding scripts with a specified goal parameter whatwg/html#3205 -- wpt-commits: 395d96467d0fa57b3006b13ce1855e86e2b42907 wpt-pr: 8094
…al parameter, a=testonly Automatic update from web-platform-testsImplement script MIME restrictions for goal parameter (#8094) This adds tests regarding scripts with a specified goal parameter whatwg/html#3205 -- wpt-commits: 395d96467d0fa57b3006b13ce1855e86e2b42907 wpt-pr: 8094
This test was committed without the corresponding standard change at whatwg/html#3205 having landed. Reverts #8094.
Automatic update from web-platform-testsDelete goal-parameter.htm This test was committed without the corresponding standard change at whatwg/html#3205 having landed. Reverts #8094. -- wpt-commits: fb745708cbe264d7477b846cb87d67dcce310e27 wpt-pr: 13034
Automatic update from web-platform-testsDelete goal-parameter.htm This test was committed without the corresponding standard change at whatwg/html#3205 having landed. Reverts #8094. -- wpt-commits: fb745708cbe264d7477b846cb87d67dcce310e27 wpt-pr: 13034
…al parameter, a=testonly Automatic update from web-platform-testsImplement script MIME restrictions for goal parameter (#8094) This adds tests regarding scripts with a specified goal parameter whatwg/html#3205 -- wpt-commits: 395d96467d0fa57b3006b13ce1855e86e2b42907 wpt-pr: 8094 UltraBlame original commit: f0211683bbeb7893daaa440a15aec604f7eacf3e
Automatic update from web-platform-testsDelete goal-parameter.htm This test was committed without the corresponding standard change at whatwg/html#3205 having landed. Reverts #8094. -- wpt-commits: fb745708cbe264d7477b846cb87d67dcce310e27 wpt-pr: 13034 UltraBlame original commit: 17bfa2cc509890b4fe9b6294a4600d207c10f921
…al parameter, a=testonly Automatic update from web-platform-testsImplement script MIME restrictions for goal parameter (#8094) This adds tests regarding scripts with a specified goal parameter whatwg/html#3205 -- wpt-commits: 395d96467d0fa57b3006b13ce1855e86e2b42907 wpt-pr: 8094 UltraBlame original commit: f0211683bbeb7893daaa440a15aec604f7eacf3e
Automatic update from web-platform-testsDelete goal-parameter.htm This test was committed without the corresponding standard change at whatwg/html#3205 having landed. Reverts #8094. -- wpt-commits: fb745708cbe264d7477b846cb87d67dcce310e27 wpt-pr: 13034 UltraBlame original commit: 17bfa2cc509890b4fe9b6294a4600d207c10f921
…al parameter, a=testonly Automatic update from web-platform-testsImplement script MIME restrictions for goal parameter (#8094) This adds tests regarding scripts with a specified goal parameter whatwg/html#3205 -- wpt-commits: 395d96467d0fa57b3006b13ce1855e86e2b42907 wpt-pr: 8094 UltraBlame original commit: f0211683bbeb7893daaa440a15aec604f7eacf3e
Automatic update from web-platform-testsDelete goal-parameter.htm This test was committed without the corresponding standard change at whatwg/html#3205 having landed. Reverts #8094. -- wpt-commits: fb745708cbe264d7477b846cb87d67dcce310e27 wpt-pr: 13034 UltraBlame original commit: 17bfa2cc509890b4fe9b6294a4600d207c10f921
|
Unfortunately this didn't go anywhere and it would be too late to add restrictions retroactively. And https://tools.ietf.org/html/draft-ietf-dispatch-javascript-mjs#section-6.1.1 doesn't seem to pursue this parameter anymore, so closing. |
See bmeck/I-D#17
💥 Error: Wattsi server error 💥
PR Preview failed to build. (Last tried on Jan 15, 2021, 7:58 AM UTC).
More
PR Preview relies on a number of web services to run. There seems to be an issue with the following one:
🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.
🔗 Related URL
If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.