In Firefox 70 we plan to start blocking Worker and SharedWorker scripts served with non-JavaScript MIME types. We have similarly been blocking importScripts() since version 67.
Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1523706 Pref: security.block_Worker_with_wrong_mime This was also discussed at https://github.com/whatwg/html/issues/3255. It seems like Chrome does NOT plan on shipping this at the moment. However we are optimistic that we can ship this, because in our data there are more importScripts with a wrong MIME type than worker scripts. We didn't dig too deeply into this data, but one idea was that a lot of worker scripts are actually 404 text/html error pages. Telemetry: https://mzl.la/2y805sN (Compare worker_load with importScript_load) Tom _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
