W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Script-related feedback

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 Jan 2013 17:20:12 -0800
Message-ID: <CAJE5ia_o6YYjmSuST=4PO3qYhVfUc=zRdoymfkQzG8tUv9_mPw@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: whatwg@whatwg.org
On Wed, Dec 19, 2012 at 2:27 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Mon, 3 Dec 2012, Adam Barth wrote:
>> Currently, there are a number of ways to load a script from the network
>> and execute it, but none of them will actually load and execute the
>> script as fast as physically possible.  Consider the following markup:
>>
>> <script async src="path/to/script.js"></script>
>>
>> In this case, the user agent will wait until it receives the last byte
>> of script.js from the network before executing the first byte of
>> script.js.
>
> It had better, since JavaScript requires that syntax errors in the lasy
> byte prevent execution of the first byte.
>
>> The main ingredient that we're missing is a way for the author to signal
>> to the user agent which chunks of scripts are safe to execute in
>> parallel with loading subsequent chunks from the network. Fortunately,
>> the web platform already has a mechanism for breaking a single HTTP
>> response body into chunks that are processed sequentially:
>> multipart/mixed.
>>
>> For example, if an HTTP server provides a multipart/mixed response to a
>> request for an image, the <img> element will display each part of the
>> response in sequence, animating the image.  Similarly, if an HTTP server
>> provides a multipart/mixed response to a request for an HTML document,
>> the user agent will display each part of the response sequentially.
>>
>> One way to address this use case is to add multipart/mixed support to
>> the <script> element.  Upon receiving a multipart/mixed response to a
>> request for a script, the <script> element must execute each part of the
>> response as they become available.  This behavior appears to be
>> consistent with the definition of multipart/mixed
>> <http://tools.ietf.org/html/rfc2046#section-5.1.3>.
>>
>> To load and execute a script as quickly as possible, the author would
>> use the following markup:
>>
>> <script async src="path/to/script.js"></script>
>>
>> The HTTP server would then break script.js into chunks that are safe to
>> execute sequentially and provide each chunk as a separate MIME part in a
>> multipart/mixed response.
>
> This seems like an overly complicated way of solving this problem.
>
> Why not just introduce a keyword or pragma to JavaScript that tells the
> user agent to act as if the end of the Program production had been
> reached, and that it should treat the remainder of the file as another
> Program?
>
> This could even be done in a backwards-compatible fashion by having the
> syntax to do this be something that down-level clients ignore, e.g.:
>
>    /*@BREAK*/
>
> ...or some such.

That approach is an in-band signal, which means it's vulnerable to
injection attacks.  For example, consider a server that produces a
JavaScript file of the following form:

[...]
var userData = "<?php echo santize($userData) ?>";
[...]

Currently, the rules for sanitizing using input are relatively
straightforward (essentially, you just need to worry about a few
special characters).  However, if we implemented an in-band signaling
we might well break these sanitation algorithms.

To make this secure, we'd probably want some sort of randomized
delimiter (perhaps declared via a pragma at the top of the file), but
then we would have just re-invented multipart/mixed.

Adam
Received on Tuesday, 8 January 2013 01:21:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT