Add "json" destination for "connect-src"#611
Conversation
nicolo-ribaudo
force-pushed
the
json-destination
branch
from
2f109ce to
f080995
Compare
|
The linking errors seem to be unrelated to this change 🤔 |
|
I wonder why this setup doesn't automatically return that as an otherwise clause. Why would we want to fallback to no CSP enforcement? That seems wrong. (To be clear, not a question for OP, but rather for @antosart.) |
|
The compilation issue should be fixed by #613. |
|
It would make sense to me that we always fall back to |
|
Thanks @antosart! Do you think this PR should still be (rebased and) merged to have the explicit case, or should I close it given that now we have the default fallback in place? |
nicolo-ribaudo
force-pushed
the
json-destination
branch
from
f080995 to
1c3131b
Compare
|
@nicolo-ribaudo I think explicitly enumerating is better than relying on the fallback, so yes, let's keep this PR, thanks! I'm not sure about the state of whatwg/fetch#1691, we should probably wait for that PR to be merged or ready to be merged. |
|
The Fetch PR has been merged now @antosart. |
|
Thanks. Merging this now then! |
SHA: 9769609 Reason: push, by antosart Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This patch adds a new `json` fetch destination [fetch-spec-pr], that has
the following characteristics:
- it implies the `Accept: application/json,*/*;q=0.5` HTTP header;
- it uses the `connect-src` CSP directive [csp-spec-pr].
This new destination is used when fetching JSON module scripts, using
`import ... from "/data" with { type: "json" }` [html-spec-pr].
https://crrev.com/c/4949956 implements a similar change for CSS module
scripts, but their implementation is simpler because the `style`
destination already exists.
This patch passes all the relevant WPT tests [wpt-pr] (when using
--js-flags="--harmony_import_attributes), although I had to run them
manually because they have not been merged yet.
This patch does not add support for `<link rel="preload" as="json">`,
which is also introduced by the linked fetch and HTML spec changes.
[fetch-spec-pr]: whatwg/fetch#1691
[csp-spec-pr]: w3c/webappsec-csp#611
[html-spec-pr]: whatwg/html#9486
[wpt-pr]: web-platform-tests/wpt#41665
Bug: 1491336
Change-Id: I6661ddc9be04935e2ee760eb78d1060ae0192a55
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4955077
Reviewed-by: Takashi Toyoshima <[email protected]>
Reviewed-by: David Bertoni <[email protected]>
Reviewed-by: Hiroki Nakagawa <[email protected]>
Reviewed-by: Xinghui Lu <[email protected]>
Commit-Queue: Nicolò Ribaudo <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1249822}
3 participants
whatwg/fetch#1691 adds
"json"destinatino to the fetch spec (see whatwg/html#9486 and whatwg/html#7233 for motivation). Given that JSON modules are powerless and they they are so far usually loaded usingfetch(), the intention is for them to re-use theconnect-srcCSP policy.fyi @annevk @domenic
Closes #573.