Open
Bug 1465074
Opened 6 years ago
Updated 2 years ago
Allow range requests to pass through a service worker
Categories
(Core :: DOM: Service Workers, defect, P2)
Core
DOM: Service Workers
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | affected |
People
(Reporter: jaffathecake, Unassigned)
References
(Blocks 2 open bugs)
Details
Spec change: https://github.com/whatwg/fetch/pull/560.
Tests: https://github.com/web-platform-tests/wpt/pull/10348.
Security issues to pay attention to: https://github.com/whatwg/fetch/issues/144#issuecomment-368040980
This spec change means that rage requests (such as those from media elements) are allowed to pass through a service worker as long as they aren't modified. This fixes a long standing issue where media elements behave oddly if intercepted by a service worker (as the range headers were lost).
How media elements ingest partial responses remains unspecified for now. See the attacks in https://github.com/whatwg/fetch/issues/144#issuecomment-368040980 & their mitigations. Attack 4 is already covered in the tests.
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Priority: -- → P2
|
|
||
Comment 2•6 years ago
|
||
Looks like we already blocked 206 responses in Cache API in bug 1264181.
Depends on: 1264181
|
||
Updated•6 years ago
|
Unfortunately Firefox is currently the only browser that is not supporting range requests in service workers. See here: https://wpt.fyi/results/fetch/range/sw.https.window.html?label=master&label=experimental&aligned
Recent versions of Safari and Chromium since Version 87 support this really well (https://web.dev/sw-range-requests/). It is really unfortunate that our web app can not support Firefox because of this issue...
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Depends on: CVE-2022-45403
|
|
||
Updated•3 years ago
|
|
||
Comment 4•3 years ago
|
||
The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•