Changeset 289672 in webkit

Timestamp:

Feb 11, 2022 2:57:33 PM (5 months ago)

Author:

Chris Dumez

Message:

Fix MIME type check for classic worker script fetches
​https://bugs.webkit.org/show_bug.cgi?id=236411

Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

• web-platform-tests/workers/Worker_script_mimetype-expected.txt:
• web-platform-tests/workers/importscripts_mime.any.sharedworker-expected.txt:
• web-platform-tests/workers/importscripts_mime.any.worker-expected.txt:

Rebaseline WPT tests now that more checks are passing.

• web-platform-tests/workers/constructors/SharedWorker/Infinity.headers: Added.
• web-platform-tests/workers/constructors/SharedWorker/NaN.headers: Added.

Merge upstream fix from ​https://github.com/web-platform-tests/wpt/pull/32782.

Source/WebCore:

Fix MIME type check for classic worker script fetches and classic worker script imports, so that we are
now aligned with the specification:

• ​https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script (Step 5)
• ​https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-imported-script (Step 5)

This was causing us to fail some Web Platform Tests.

No new tests, rebaselined existing tests.

• bindings/js/WorkerModuleScriptLoader.cpp:

(WebCore::WorkerModuleScriptLoader::load):

• loader/FetchOptions.h:

(WebCore::isScriptLikeDestination):

• workers/Worker.cpp:

(WebCore::Worker::create):

• workers/WorkerGlobalScope.cpp:

(WebCore::WorkerGlobalScope::importScripts):

• workers/WorkerScriptLoader.cpp:

(WebCore::WorkerScriptLoader::loadSynchronously):
(WebCore::WorkerScriptLoader::loadAsynchronously):
(WebCore::constructJavaScriptMIMETypeError):
(WebCore::WorkerScriptLoader::validateWorkerResponse):
(WebCore::WorkerScriptLoader::didReceiveResponse):

• workers/WorkerScriptLoader.h:
• workers/service/ServiceWorkerJob.cpp:

(WebCore::ServiceWorkerJob::fetchScriptWithContext):

• workers/shared/SharedWorkerScriptLoader.cpp:

(WebCore::SharedWorkerScriptLoader::load):

Source/WebKit:

• NetworkProcess/ServiceWorker/ServiceWorkerSoftUpdateLoader.cpp:

(WebKit::ServiceWorkerSoftUpdateLoader::processResponse):

LayoutTests:

Fix existing layout tests to make sure that worker scripts are served with a JavaScript mime type.

• http/tests/resourceLoadStatistics/resources/script-revealing-cookies.py:
• http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.py:
• http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.py:
• http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.py:
• http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.py:
• http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.py:
• http/tests/security/contentSecurityPolicy/resources/worker.py:
• http/tests/workers/resources/subworker-encoded.py:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/resourceLoadStatistics/resources/script-revealing-cookies.py (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.py (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.py (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.py (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.py (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.py (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker.py (modified) (1 diff)
• LayoutTests/http/tests/workers/resources/subworker-encoded.py (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/Worker_script_mimetype-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/constructors/SharedWorker/Infinity.headers (added)
• LayoutTests/imported/w3c/web-platform-tests/workers/constructors/SharedWorker/NaN.headers (added)
• LayoutTests/imported/w3c/web-platform-tests/workers/importscripts_mime.any.sharedworker-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/workers/importscripts_mime.any.worker-expected.txt (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/WorkerModuleScriptLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/FetchOptions.h (modified) (1 diff)
• Source/WebCore/workers/Worker.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerGlobalScope.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerScriptLoader.cpp (modified) (6 diffs)
• Source/WebCore/workers/WorkerScriptLoader.h (modified) (3 diffs)
• Source/WebCore/workers/service/ServiceWorkerJob.cpp (modified) (1 diff)
• Source/WebCore/workers/shared/SharedWorkerScriptLoader.cpp (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/ServiceWorker/ServiceWorkerSoftUpdateLoader.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-02-11  Chris Dumez  <cdumez@apple.com>
+
+        Fix MIME type check for classic worker script fetches
+        https://bugs.webkit.org/show_bug.cgi?id=236411
+
+        Reviewed by Alex Christensen.
+
+        Fix existing layout tests to make sure that worker scripts are served with a JavaScript mime type.
+
+        * http/tests/resourceLoadStatistics/resources/script-revealing-cookies.py:
+        * http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.py:
+        * http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.py:
+        * http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.py:
+        * http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.py:
+        * http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.py:
+        * http/tests/security/contentSecurityPolicy/resources/worker.py:
+        * http/tests/workers/resources/subworker-encoded.py:
+
 2022-02-11  Antoine Quint  <graouts@webkit.org>
 

trunk/LayoutTests/http/tests/resourceLoadStatistics/resources/script-revealing-cookies.py

@@ -19 +19 @@
 first_party_cookie = cookies.get('firstPartyCookie', None)
 
-sys.stdout.write('Content-Type: text/html\r\n\r\n')
+sys.stdout.write('Content-Type: text/javascript\r\n\r\n')
 
 if first_party_cookie:

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.py

@@ -6 +6 @@
 determine_content_security_policy_header()
 sys.stdout.write(
-    'Content-Type: text/html\r\n\r\n'
+    'Content-Type: text/javascript\r\n\r\n'
     'self.result = false;\n'
     'var exception;\n'

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.py

@@ -6 +6 @@
 determine_content_security_policy_header()
 sys.stdout.write(
-    'Content-Type: text/html\r\n\r\n'
+    'Content-Type: text/javascript\r\n\r\n'
     'var exception;\n'
     'try {\n'

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.py

@@ -6 +6 @@
 determine_content_security_policy_header()
 sys.stdout.write(
-    'Content-Type: text/html\r\n\r\n'
+    'Content-Type: text/javascript\r\n\r\n'
     'var isAsynchronous = false;\n'
     'var xhr = new XMLHttpRequest;\n'

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.py

@@ -5 +5 @@
 
 sys.stdout.write(
-    'Content-Type: text/html\r\n\r\n'
+    'Content-Type: text/javascript\r\n\r\n'
     'var isAsynchronous = false;\n'
     'var xhr = new XMLHttpRequest;\n'

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.py

@@ -6 +6 @@
 determine_content_security_policy_header()
 sys.stdout.write(
-    'Content-Type: text/html\r\n\r\n'
+    'Content-Type: text/javascript\r\n\r\n'
     'var expectedExceptionCode = 19; // DOMException.NETWORK_ERR\n'
     'var isAsynchronous = false;\n'

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker.py

@@ -13 +13 @@
     'Cache-Control: no-cache, must-revalidate\r\n'
     'Pragma: no-cache\r\n'
-    'Content-Type: text/html\r\n'
+    'Content-Type: text/javascript\r\n'
 )
 

trunk/LayoutTests/http/tests/workers/resources/subworker-encoded.py

@@ -11 +11 @@
     'Cache-Control: no-cache, must-revalidate\r\n'
     'Pragma: no-cache\r\n'
-    'Content-Type: text/html\r\n\r\n'
+    'Content-Type: text/javascript\r\n\r\n'
     'postMessage(\'Sub: Original test string: \' + String.fromCharCode(0x41F, 0x440, 0x438, 0x432, 0x435, 0x442));'
     'postMessage(\'Sub: Test string encoded using koi8-r: {}.\');'

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2022-02-11  Chris Dumez  <cdumez@apple.com>
+
+        Fix MIME type check for classic worker script fetches
+        https://bugs.webkit.org/show_bug.cgi?id=236411
+
+        Reviewed by Alex Christensen.
+
+        * web-platform-tests/workers/Worker_script_mimetype-expected.txt:
+        * web-platform-tests/workers/importscripts_mime.any.sharedworker-expected.txt:
+        * web-platform-tests/workers/importscripts_mime.any.worker-expected.txt:
+        Rebaseline WPT tests now that more checks are passing.
+
+        * web-platform-tests/workers/constructors/SharedWorker/Infinity.headers: Added.
+        * web-platform-tests/workers/constructors/SharedWorker/NaN.headers: Added.
+        Merge upstream fix from https://github.com/web-platform-tests/wpt/pull/32782.
+
 2022-02-11  Jon Lee  <jonlee@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/Worker_script_mimetype-expected.txt

@@ -1 +1 @@
 
-FAIL HTTP(S) URLs which respond with text/plain MIME type must not work assert_unreached: Worker should not recieve messages Reached unreachable code
+PASS HTTP(S) URLs which respond with text/plain MIME type must not work
 PASS blob: URLs should load, despite no MIME type for the backing Blob
 PASS blob: URLs should load, despite the wrong MIME type for the backing Blob

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/importscripts_mime.any.sharedworker-expected.txt

@@ -6 +6 @@
 PASS importScripts() requires scripty MIME types: text/csv is blocked.
 PASS importScripts() requires scripty MIME types: video/mpeg is blocked.
-FAIL importScripts() requires scripty MIME types: text/html is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: text/plain is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: application/xml is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: application/octet-stream is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: text/potato is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: potato/text is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: aaa/aaa is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: zzz/zzz is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
+PASS importScripts() requires scripty MIME types: text/html is blocked.
+PASS importScripts() requires scripty MIME types: text/plain is blocked.
+PASS importScripts() requires scripty MIME types: application/xml is blocked.
+PASS importScripts() requires scripty MIME types: application/octet-stream is blocked.
+PASS importScripts() requires scripty MIME types: text/potato is blocked.
+PASS importScripts() requires scripty MIME types: potato/text is blocked.
+PASS importScripts() requires scripty MIME types: aaa/aaa is blocked.
+PASS importScripts() requires scripty MIME types: zzz/zzz is blocked.
 PASS importScripts() requires scripty MIME types: text/javascript; charset=utf-8 is allowed.
 PASS importScripts() requires scripty MIME types: text/javascript;charset=utf-8 is allowed.
@@ -20 +20 @@
 PASS importScripts() requires scripty MIME types: text/csv;charset=utf-8 is blocked.
 PASS importScripts() requires scripty MIME types: text/csv;bla;bla is blocked.
-FAIL importScripts() requires scripty MIME types: Text/html is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: text/Html is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: TeXt/HtMl is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: TEXT/HTML is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
+PASS importScripts() requires scripty MIME types: Text/html is blocked.
+PASS importScripts() requires scripty MIME types: text/Html is blocked.
+PASS importScripts() requires scripty MIME types: TeXt/HtMl is blocked.
+PASS importScripts() requires scripty MIME types: TEXT/HTML is blocked.
 

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/importscripts_mime.any.worker-expected.txt

@@ -6 +6 @@
 PASS importScripts() requires scripty MIME types: text/csv is blocked.
 PASS importScripts() requires scripty MIME types: video/mpeg is blocked.
-FAIL importScripts() requires scripty MIME types: text/html is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: text/plain is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: application/xml is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: application/octet-stream is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: text/potato is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: potato/text is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: aaa/aaa is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: zzz/zzz is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
+PASS importScripts() requires scripty MIME types: text/html is blocked.
+PASS importScripts() requires scripty MIME types: text/plain is blocked.
+PASS importScripts() requires scripty MIME types: application/xml is blocked.
+PASS importScripts() requires scripty MIME types: application/octet-stream is blocked.
+PASS importScripts() requires scripty MIME types: text/potato is blocked.
+PASS importScripts() requires scripty MIME types: potato/text is blocked.
+PASS importScripts() requires scripty MIME types: aaa/aaa is blocked.
+PASS importScripts() requires scripty MIME types: zzz/zzz is blocked.
 PASS importScripts() requires scripty MIME types: text/javascript; charset=utf-8 is allowed.
 PASS importScripts() requires scripty MIME types: text/javascript;charset=utf-8 is allowed.
@@ -20 +20 @@
 PASS importScripts() requires scripty MIME types: text/csv;charset=utf-8 is blocked.
 PASS importScripts() requires scripty MIME types: text/csv;bla;bla is blocked.
-FAIL importScripts() requires scripty MIME types: Text/html is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: text/Html is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: TeXt/HtMl is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
-FAIL importScripts() requires scripty MIME types: TEXT/HTML is blocked. assert_throws_dom: function "_ => { importScripts(import_url) }" did not throw
+PASS importScripts() requires scripty MIME types: Text/html is blocked.
+PASS importScripts() requires scripty MIME types: text/Html is blocked.
+PASS importScripts() requires scripty MIME types: TeXt/HtMl is blocked.
+PASS importScripts() requires scripty MIME types: TEXT/HTML is blocked.
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-02-11  Chris Dumez  <cdumez@apple.com>
+
+        Fix MIME type check for classic worker script fetches
+        https://bugs.webkit.org/show_bug.cgi?id=236411
+
+        Reviewed by Alex Christensen.
+
+        Fix MIME type check for classic worker script fetches and classic worker script imports, so that we are
+        now aligned with the specification:
+        - https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script (Step 5)
+        - https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-imported-script (Step 5)
+
+        This was causing us to fail some Web Platform Tests.
+
+        No new tests, rebaselined existing tests.
+
+        * bindings/js/WorkerModuleScriptLoader.cpp:
+        (WebCore::WorkerModuleScriptLoader::load):
+        * loader/FetchOptions.h:
+        (WebCore::isScriptLikeDestination):
+        * workers/Worker.cpp:
+        (WebCore::Worker::create):
+        * workers/WorkerGlobalScope.cpp:
+        (WebCore::WorkerGlobalScope::importScripts):
+        * workers/WorkerScriptLoader.cpp:
+        (WebCore::WorkerScriptLoader::loadSynchronously):
+        (WebCore::WorkerScriptLoader::loadAsynchronously):
+        (WebCore::constructJavaScriptMIMETypeError):
+        (WebCore::WorkerScriptLoader::validateWorkerResponse):
+        (WebCore::WorkerScriptLoader::didReceiveResponse):
+        * workers/WorkerScriptLoader.h:
+        * workers/service/ServiceWorkerJob.cpp:
+        (WebCore::ServiceWorkerJob::fetchScriptWithContext):
+        * workers/shared/SharedWorkerScriptLoader.cpp:
+        (WebCore::SharedWorkerScriptLoader::load):
+
 2022-02-11  Antoine Quint  <graouts@webkit.org>
 

trunk/Source/WebCore/bindings/js/WorkerModuleScriptLoader.cpp

@@ -94 +94 @@
     }
 
-    m_scriptLoader->loadAsynchronously(context, WTFMove(request), WTFMove(fetchOptions), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, *this, taskMode());
+    m_scriptLoader->loadAsynchronously(context, WTFMove(request), WorkerScriptLoader::Source::ModuleScript, WTFMove(fetchOptions), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, *this, taskMode());
     return true;
 }

trunk/Source/WebCore/loader/FetchOptions.h

@@ -108 +108 @@
         || destination == FetchOptions::Destination::Script
         || destination == FetchOptions::Destination::Serviceworker
+        || destination == FetchOptions::Destination::Sharedworker
         || destination == FetchOptions::Destination::Worker;
 }

trunk/Source/WebCore/workers/Worker.cpp

@@ -114 +114 @@
     request.setInitiatorIdentifier(worker->m_identifier);
 
-    worker->m_scriptLoader->loadAsynchronously(context, WTFMove(request), workerFetchOptions(worker->m_options, FetchOptions::Destination::Worker), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, worker.get(), WorkerRunLoop::defaultMode());
+    auto source = options.type == WorkerType::Module ? WorkerScriptLoader::Source::ModuleScript : WorkerScriptLoader::Source::ClassicWorkerScript;
+    worker->m_scriptLoader->loadAsynchronously(context, WTFMove(request), source, workerFetchOptions(worker->m_options, FetchOptions::Destination::Worker), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, worker.get(), WorkerRunLoop::defaultMode());
 
     return worker;

trunk/Source/WebCore/workers/WorkerGlobalScope.cpp

@@ -383 +383 @@
         auto scriptLoader = WorkerScriptLoader::create();
         auto cspEnforcement = shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective;
-        if (auto exception = scriptLoader->loadSynchronously(this, url, FetchOptions::Mode::NoCors, cachePolicy, cspEnforcement, resourceRequestIdentifier()))
+        if (auto exception = scriptLoader->loadSynchronously(this, url, WorkerScriptLoader::Source::ClassicWorkerImport, FetchOptions::Mode::NoCors, cachePolicy, cspEnforcement, resourceRequestIdentifier()))
             return WTFMove(*exception);
 

trunk/Source/WebCore/workers/WorkerScriptLoader.cpp

@@ -53 +53 @@
 WorkerScriptLoader::~WorkerScriptLoader() = default;
 
-std::optional<Exception> WorkerScriptLoader::loadSynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, FetchOptions::Mode mode, FetchOptions::Cache cachePolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, const String& initiatorIdentifier)
+std::optional<Exception> WorkerScriptLoader::loadSynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, Source source, FetchOptions::Mode mode, FetchOptions::Cache cachePolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, const String& initiatorIdentifier)
 {
     ASSERT(scriptExecutionContext);
@@ -60 +60 @@
     m_url = url;
     m_lastRequestURL = url;
+    m_source = source;
     m_destination = FetchOptions::Destination::Script;
     m_isCOEPEnabled = scriptExecutionContext->settingsValues().crossOriginEmbedderPolicyEnabled;
@@ -115 +116 @@
 }
 
-void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext& scriptExecutionContext, ResourceRequest&& scriptRequest, FetchOptions&& fetchOptions, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, ServiceWorkersMode serviceWorkerMode, WorkerScriptLoaderClient& client, String&& taskMode)
+void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext& scriptExecutionContext, ResourceRequest&& scriptRequest, Source source, FetchOptions&& fetchOptions, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, ServiceWorkersMode serviceWorkerMode, WorkerScriptLoaderClient& client, String&& taskMode)
 {
     m_client = &client;
     m_url = scriptRequest.url();
     m_lastRequestURL = scriptRequest.url();
+    m_source = source;
     m_destination = fetchOptions.destination;
     m_isCOEPEnabled = scriptExecutionContext.settingsValues().crossOriginEmbedderPolicyEnabled;
@@ -164 +166 @@
 }
 
-ResourceError WorkerScriptLoader::validateWorkerResponse(const ResourceResponse& response, FetchOptions::Destination destination)
+static ResourceError constructJavaScriptMIMETypeError(const ResourceResponse& response)
+{
+    auto message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because ", response.mimeType(), " is not a script MIME type.");
+    return { errorDomainWebKitInternal, 0, response.url(), WTFMove(message), ResourceError::Type::AccessControl };
+}
+
+ResourceError WorkerScriptLoader::validateWorkerResponse(const ResourceResponse& response, Source source, FetchOptions::Destination destination)
 {
     if (response.httpStatusCode() / 100 != 2 && response.httpStatusCode())
@@ -174 +182 @@
     }
 
-    if (shouldBlockResponseDueToMIMEType(response, destination)) {
-        auto message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because ", response.mimeType(), " is not a script MIME type.");
-        return { errorDomainWebKitInternal, 0, response.url(), WTFMove(message), ResourceError::Type::General };
+    switch (source) {
+    case Source::ClassicWorkerScript:
+        // https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script (Step 5)
+        // This is the result a dedicated / shared / service worker script fetch.
+        if (response.url().protocolIsInHTTPFamily() && !MIMETypeRegistry::isSupportedJavaScriptMIMEType(response.mimeType()))
+            return constructJavaScriptMIMETypeError(response);
+        break;
+    case Source::ClassicWorkerImport:
+        // https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-imported-script (Step 5).
+        // This is the result of an importScripts() call.
+        if (!MIMETypeRegistry::isSupportedJavaScriptMIMEType(response.mimeType()))
+            return constructJavaScriptMIMETypeError(response);
+        break;
+    case Source::ModuleScript:
+        if (shouldBlockResponseDueToMIMEType(response, destination))
+            return constructJavaScriptMIMETypeError(response);
+        break;
     }
 
@@ -189 +211 @@
 void WorkerScriptLoader::didReceiveResponse(ResourceLoaderIdentifier identifier, const ResourceResponse& response)
 {
-    m_error = validateWorkerResponse(response, m_destination);
+    m_error = validateWorkerResponse(response, m_source, m_destination);
     if (!m_error.isNull()) {
         m_failed = true;

trunk/Source/WebCore/workers/WorkerScriptLoader.h

@@ -61 +61 @@
     }
 
-    std::optional<Exception> loadSynchronously(ScriptExecutionContext*, const URL&, FetchOptions::Mode, FetchOptions::Cache, ContentSecurityPolicyEnforcement, const String& initiatorIdentifier);
-    void loadAsynchronously(ScriptExecutionContext&, ResourceRequest&&, FetchOptions&&, ContentSecurityPolicyEnforcement, ServiceWorkersMode, WorkerScriptLoaderClient&, String&& taskMode);
+    enum class Source : uint8_t { ClassicWorkerScript, ClassicWorkerImport, ModuleScript };
+
+    std::optional<Exception> loadSynchronously(ScriptExecutionContext*, const URL&, Source, FetchOptions::Mode, FetchOptions::Cache, ContentSecurityPolicyEnforcement, const String& initiatorIdentifier);
+    void loadAsynchronously(ScriptExecutionContext&, ResourceRequest&&, Source, FetchOptions&&, ContentSecurityPolicyEnforcement, ServiceWorkersMode, WorkerScriptLoaderClient&, String&& taskMode);
 
     void notifyError();
@@ -91 +93 @@
     void cancel();
 
-    WEBCORE_EXPORT static ResourceError validateWorkerResponse(const ResourceResponse&, FetchOptions::Destination);
+    WEBCORE_EXPORT static ResourceError validateWorkerResponse(const ResourceResponse&, Source, FetchOptions::Destination);
 
 private:
@@ -112 +114 @@
     CertificateInfo m_certificateInfo;
     String m_responseMIMEType;
+    Source m_source;
     FetchOptions::Destination m_destination;
     ContentSecurityPolicyResponseHeaders m_contentSecurityPolicy;

trunk/Source/WebCore/workers/service/ServiceWorkerJob.cpp

@@ -114 +114 @@
     options.destination = FetchOptions::Destination::Serviceworker;
     options.credentials = FetchOptions::Credentials::SameOrigin;
-    m_scriptLoader->loadAsynchronously(context, WTFMove(request), WTFMove(options), ContentSecurityPolicyEnforcement::DoNotEnforce, ServiceWorkersMode::None, *this, WorkerRunLoop::defaultMode());
+
+    auto source = m_jobData.workerType == WorkerType::Module ? WorkerScriptLoader::Source::ModuleScript : WorkerScriptLoader::Source::ClassicWorkerScript;
+    m_scriptLoader->loadAsynchronously(context, WTFMove(request), source, WTFMove(options), ContentSecurityPolicyEnforcement::DoNotEnforce, ServiceWorkersMode::None, *this, WorkerRunLoop::defaultMode());
 }
 

trunk/Source/WebCore/workers/shared/SharedWorkerScriptLoader.cpp

@@ -49 +49 @@
     m_completionHandler = WTFMove(completionHandler);
 
-    m_loader->loadAsynchronously(*m_worker->scriptExecutionContext(), ResourceRequest(m_url), m_worker->workerFetchOptions(m_options, FetchOptions::Destination::Sharedworker), ContentSecurityPolicyEnforcement::EnforceWorkerSrcDirective, ServiceWorkersMode::All, *this, WorkerRunLoop::defaultMode());
+    auto source = m_options.type == WorkerType::Module ? WorkerScriptLoader::Source::ModuleScript : WorkerScriptLoader::Source::ClassicWorkerScript;
+    m_loader->loadAsynchronously(*m_worker->scriptExecutionContext(), ResourceRequest(m_url), source, m_worker->workerFetchOptions(m_options, FetchOptions::Destination::Sharedworker), ContentSecurityPolicyEnforcement::EnforceWorkerSrcDirective, ServiceWorkersMode::All, *this, WorkerRunLoop::defaultMode());
 }
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-02-11  Chris Dumez  <cdumez@apple.com>
+
+        Fix MIME type check for classic worker script fetches
+        https://bugs.webkit.org/show_bug.cgi?id=236411
+
+        Reviewed by Alex Christensen.
+
+        * NetworkProcess/ServiceWorker/ServiceWorkerSoftUpdateLoader.cpp:
+        (WebKit::ServiceWorkerSoftUpdateLoader::processResponse):
+
 2022-02-11  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebKit/NetworkProcess/ServiceWorker/ServiceWorkerSoftUpdateLoader.cpp

@@ -161 +161 @@
 ResourceError ServiceWorkerSoftUpdateLoader::processResponse(const ResourceResponse& response)
 {
-    auto error = WorkerScriptLoader::validateWorkerResponse(response, FetchOptions::Destination::Serviceworker);
+    auto source = m_jobData.workerType == WorkerType::Module ? WorkerScriptLoader::Source::ModuleScript : WorkerScriptLoader::Source::ClassicWorkerScript;
+    auto error = WorkerScriptLoader::validateWorkerResponse(response, source, FetchOptions::Destination::Serviceworker);
     if (!error.isNull())
         return error;