Explicitly state that UA can reject file based on its type

[mgiuca]

With examples to prevent sharing of executable files.

Could be based on extension, MIME type or contents.

[mgiuca]

It actually does have this (search for the word "block").

But it needs to change to split it out from the user activation check, and move it into the "in parallel" steps, so it can be done async.

[marcoscaceres]

Over on the gecko side, we've been considering the following attack:

const evil = new File([...evilBytes], "cat.exe");
navigator.share({files: [evil], title: "Cute cat image!"});

In order to mitigate the above, we should require each File have both type and a filename with an extension, and that the type must match an expected extension. We should have a limited list of recommended sharable types/extension combinations.

This also allows us to avoid having to do content type sniffing, although that could be done as well.

So, concretely, we should replace:

If a file type is being blocked due to security considerations, return a promise rejected with with a "NotAllowedError" DOMException.

With a lookup-table for allowed MIME + extensions-list combinations.

[mgiuca]

TPAC 2020: Resolved to make a change to the spec to let browsers determine their own rules for blocking based on file type.

We can discuss further having a formal list of allowed / blocked types, but no consensus on that.

@NotWoods suggests https://html.spec.whatwg.org/multipage/links.html#allowed-to-download as a starting point.

[marcoscaceres]

The HTML suggestion relates to the download= attribute, but in our case we use Permissions Policy to enable the functionality. However, I adapted the text "Optionally, the user agent may return false, if it believes doing so would safeguard the user from a potentially hostile download." and added it to 6c0a9f5.

[marcoscaceres]

List of extensions / types from Chromium : https://docs.google.com/document/d/1tKPkHA5nnJtmh2TgqWmGSREUzXgMUFDL6yMdVZHqUsg/edit

[marcoscaceres]

closing as handled by 6c0a9f5 for now.