feat(unstable): Support data: urls #5157
Conversation
Currently they get treated as JavaScript because it falls through here: Lines 146 to 149 in fca204d |
|
Hrmmm... I didn't think we allowed media types we didn't know. @bartlomieju are we sure we want that? Seems like a big security hole. Non-happy path tests would still be good. |
Working on that and checking whether removing that fallback causes regressions |
|
I'd like to have some feedback on how to handle |
The usages I encounter are generally data embedding.
Both Firefox and Chrome allow imports of that form. |
|
Ok sounds good. I think we should make this an unstable feature for the time being. I'd leave it up to you to figure out how to do that exactly (if you don't mind). Here's reference: Lines 236 to 248 in 2b02535 |
|
Thanks for the patch @SyrupThinker; however I think we should wait on this PR after 1.0 is released and compiler refactor is finished. It introduces yet another layer to consider and if I'm not mistaken data imports are dependent on location/origin which we currently don't support.
That's how it always worked: unknown media types are treated as if they were JS which in most cases ends up in an error from V8 or TS compiler. |
|
Ok, I'll continue working on this after the refactor then. |
bartlomieju
added
cli
That is correct; we certainly don't want to allow circumventing restrictions by imports like |
This is done to prevent modules from being able to proxy forbidden imports through data. This should be replaced with proper origin tracking at a later time.
|
|
|
@SyrupThinker I'm sorry we didn't get this landed earlier. If you can get this rebased on master, I would include it in 1.4.0 (to be released September 13) |
|
Since the main use case for this feature is for loading workers, it would be good to have a test case demonstrating that you can start a worker with a data url. |
|
I don't know how to resolve the tsc errors (or how to debug them), could use some help for that. For example I can't figure out how to log stuff in |
There was a problem hiding this comment.
MDN tells that data: URLs are not allowed at top level due to phishing vulnerability. I wonder if we also should disallow them as entry point 🤔
EDIT: I guess it doesn't make much difference - we still require --allow-* flags.
| @@ -687,6 +687,7 @@ impl TsCompiler { | |||
| self.file_fetcher.clone(), | |||
| global_state.maybe_import_map.clone(), | |||
| permissions.clone(), | |||
| global_state.flags.unstable, | |||
There was a problem hiding this comment.
Not sure if we need to hide it behind unstable
|
@SyrupThinker I have fixed the tests. TS failures were caused by #7392 |
bartlomieju
changed the title
bartlomieju
changed the title
This reverts commit e3319f3.
Closes #5059
Notes:
percent-encodingis already an indirect dependency ofurlextract_data_url, what kind of Error should be returned?