I could fix up this test: https://github.com/web-platform-tests/wpt/blob/master/workers/Worker_script_mimetype.htm
Thanks for creating this PR.

Thanks! I'd be interested in also getting tests for blob/data (maybe not filesystem), since it sounds like at least at one point in time those were treated differently...

Thanks! I'd be interested in also getting tests for blob/data (maybe not filesystem), since it sounds like at least at one point in time those were treated differently...

Yes, right. We only enforce the MIME type for HTTP loads at the moment. This is the case we most care about anyway. One exception is module loads where we enforce the right MIME type also at the script loader level, so it also applies to data: and blob:. I think we are not generally opposed to also fixing those, but it's not a priority.

We have delayed shipping this change in light of the current events.

We now intent to ship this in Firefox 81.

Great! Is the plan still to not enforce this for data: and blob:? Also, let me know on the plan for test updates...

I think for data: and blob: we would first have to add warnings and telemetry. It's quite easy to produce blob URLs without a type: new Worker(URL.createObjectURL(new Blob(["1 + 1"])))

For tests is there anything we could just copy or extend? I think when I first did this a year ago I fixed all WPT tests that were unintentionally using the wrong mime type for workers.

Alright, I'll rebase this and add carve-outs for data: and blob: URLs, although doing so makes me sad.

Fixing existing tests sounds great. Just send me a link to the web-platform-tests/wpt pull request, or Firefox change that will eventually get synced there, so we can link the changes there to this PR.

So for reference purposes:

• bug 1523706 is the original implementation bug
• bug 1569123 is for shipping this patch to release in 81
• bug 1557736 fixed a ton of WPT tests using wrong MIME types
• I think https://github.com/web-platform-tests/wpt/blob/master/workers/Worker_script_mimetype.htm is the only test we had to disable for this change to pass WPT afterwards

Working on precise spec text... what's the plan for about: and file: URLs? I'm trying to figure out if we should check HTTP(S) URLs explicitly, or if we should avoid checking data: and blob: URLs specifically.

Alright, I've got the pull request all straightened out, assuming that we're specifically exempting blob: and data: URLs.

For tests, we'll want a pull request/Firefox-side change for the https://github.com/web-platform-tests/wpt/blob/master/workers/Worker_script_mimetype.htm test you mentioned. It'd also be ideal to add specific tests (e.g. by expanding that test file) for:

• blob: URLs with the wrong MIME type, or with no MIME type, still work
• data: URLs with the wrong MIME type, or with no MIME type (which per the Fetch spec ends up as a MIME type of text/plain;charset=US-ASCII), still work.
• about:blank does not work.

file: URLs don't seem very testable on web platform tests infrastructure.

Right now the Firefox implementation is restricted to blocking bad scripts coming from http or https specifically. If we start blocking data: and blob: I am pretty sure we would just do it for every other protocol as well.

OK cool, I'll switch around the PR. In that case we should have tests to check that about:blank still works.

I'll wait on merging until we have some test updates ready to go.

I'm updating the tests now; I'll update the OP with a link to the test pull request, and then merge.

It turns out that about:blank is cross-origin so that isn't an issue.