nosniff and images #395
Comments
|
@ckerschb what do you think, is it worth it to try and enable this at some point or should we just give up on having nosniff for that? @mikewest thoughts? The specification also has it for fonts, media, and media track resources. I'm guessing we want to give up on those too and only handle style and script resources? @zcorpan are media track resources still safe (like images are)? |
|
Yes. At least if only WebVTT is supported. TTML2 supports external resources apparently though I have pointed out that that is a problem. |
|
Okay, I hope no user agents plans on implementing that. Given that I'd be okay with restricting nosniff to just style and script forever. |
|
In an ideal world, supporting Perhaps Mozilla folks who supported the change could give a bit of detail about the relative priority? If I'm wrong, then we can make time. |
For “image” it was not web-compatible and checking the others doesn’t seem worth it given there are no known issues with sniffing there. Closes #395.
|
Created a PR to apply it to "script" and "style" only. |
See whatwg/fetch#395 for details.
|
Also created a WPT PR. |
|
(Seems Chrome still fails several nosniff tests around workers and such.) |
See whatwg/fetch#395 for details.
For “image” it was not web-compatible and checking the others doesn’t seem worth it given there are no known issues with sniffing there. Tests: web-platform-tests/wpt#4356. Closes #395.
|
The Gecko bugs that get resolved through this change are: https://bugzilla.mozilla.org/show_bug.cgi?id=1289055, https://bugzilla.mozilla.org/show_bug.cgi?id=1289056, and https://bugzilla.mozilla.org/show_bug.cgi?id=1289057. Haven't closed them myself since @ckerschb might have to do some cleanup. |
Change `x-content-type-options` rule so that it limits the usage of the `X-Content-Type-Options` header to scripts and stylesheets as modern browsers actually only respect the header for those types of resources¹. Also, sending the header for resources such as images, creates problems² in some older browsers. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ¹ https://fetch.spec.whatwg.org/#x-content-type-options-header ² whatwg/fetch#395 Fix #767 Close #772
😱 You realize you introduced a security risk here? Actually also "HTML" can be a malicious mime type, as it can obviously embed JS. (Maybe also other types such as SVG?) See https://www.youtube.com/watch?v=dBJt3eR8-bg for a talk by @hannob on that subject. Please do watch the whole talk, it's good! 😄 |
Firefox ran into problems supporting nosniff for images (Chrome doesn't support it there). @ckerschb is going to figure out if we can enable it at some future point: https://bugzilla.mozilla.org/show_bug.cgi?id=1302539. If that doesn't work out, we'll have to change the specification.
The text was updated successfully, but these errors were encountered: