Add MIME type checking for HTTP(S) worker scripts

This is part of #3255.
whatwg · Aug 12, 2020 · 97c73c3 · 97c73c3
1 parent f781a90
commit 97c73c3
Showing 1 changed file with 44 additions and 17 deletions.
diff --git a/source b/source
@@ -88571,10 +88571,15 @@ document.querySelector("button").addEventListener("click", bound);
 
    <li><p>Set <var>response</var> to <var>response</var>'s <span>unsafe response</span>.</p></li>
 
-   <li><p>If <var>response</var>'s <span data-x="concept-response-type">type</span> is "<code
-   data-x="">error</code>", or <var>response</var>'s <span
-   data-x="concept-response-status">status</span> is not an <span>ok status</span>, asynchronously
-   complete this algorithm with null, and return.</p></li>
+   <li>
+    <p>If <var>response</var>'s <span data-x="concept-response-type">type</span> is "<code
+    data-x="">error</code>", or <var>response</var>'s <span
+    data-x="concept-response-status">status</span> is not an <span>ok status</span>, then
+    asynchronously complete this algorithm with null, and return.</p>
+
+    <p class="note">For historical reasons, this algorithm does not include MIME type checking,
+    unlike the other script-fetching algorithms in this section.</p>
+   </li>
 
    <li><p>If <var>response</var>'s <span data-x="Content-Type">Content Type metadata</span>, if
    any, specifies a character encoding, and the user agent supports that encoding, then set
@@ -88632,10 +88637,38 @@ document.querySelector("button").addEventListener("click", bound);
 
    <li><p>Set <var>response</var> to <var>response</var>'s <span>unsafe response</span>.</p></li>
 
-   <li><p>If <var>response</var>'s <span data-x="concept-response-type">type</span> is "<code
-   data-x="">error</code>", or <var>response</var>'s <span
-   data-x="concept-response-status">status</span> is not an <span>ok status</span>, asynchronously
-   complete this algorithm with null, and return.</p></li>
+   <li>
+    <p>If either of the following conditions are met:</p>
+
+    <ul>
+     <li><p><var>response</var>'s <span data-x="concept-response-type">type</span> is "<code
+     data-x="">error</code>"; or</p></li>
+
+     <li><p><var>response</var>'s <span data-x="concept-response-status">status</span> is not an
+     <span>ok status</span>,</p></li>
+    </ul>
+
+    <p>then asynchronously complete this algorithm with null, and return.</p>
+   </li>
+
+   <li>
+    <p>If both of the following conditions are met:</p>
+
+    <ul>
+     <li><p><var>response</var>'s <span data-x="concept-response-url">url</span>'s <span
+     data-x="concept-url-scheme">scheme</span> is an <span>HTTP(S) scheme</span>; and</p></li>
+
+     <li><p>the result of <span data-x="extract a MIME type">extracting a MIME type</span> from
+     <var>response</var>'s <span data-x="concept-response-header-list">header list</span> is not a
+     <span>JavaScript MIME type</span>,</p>
+    </ul>
+
+    <p>then asynchronously complete this algorithm with null, and return.</p>
+
+    <p class="note">Other <span data-x="fetch scheme">fetch schemes</span> are exempted from MIME
+    type checking for historical web-compatibility reasons. We might be able to tighten this in the
+    future; see <a href="https://github.com/whatwg/html/issues/3255">issue #3255</a>.</p>
+   </li>
 
    <li><p>Let <var>source text</var> be the result of <span data-x="UTF-8 decode">UTF-8
    decoding</span> <var>response</var>'s <span data-x="concept-response-body">body</span>.</p></li>
@@ -89176,15 +89209,9 @@ document.querySelector("button").addEventListener("click", bound);
      <li><p><var>response</var>'s <span data-x="concept-response-status">status</span> is not an
      <span>ok status</span>; or</p></li>
 
-     <li>
-      <p>the result of <span data-x="extract a MIME type">extracting a MIME type</span> from
-      <var>response</var>'s <span data-x="concept-response-header-list">header list</span> is not a
-      <span>JavaScript MIME type</span>,</p>
-
-      <p class="note">For historical reasons, <span data-x="fetch a classic script">fetching a
-      classic script</span> does not include MIME type checking. In contrast, module scripts will
-      fail to load if they are not of a correct MIME type.</p>
-     </li>
+     <li><p>the result of <span data-x="extract a MIME type">extracting a MIME type</span> from
+     <var>response</var>'s <span data-x="concept-response-header-list">header list</span> is not a
+     <span>JavaScript MIME type</span>,</p></li>
     </ul>
 
     <p>then <span data-x="map set">set</span> <var>moduleMap</var>[<var>url</var>] to null,