Block additional "script" MIME types

When request's type is "script", this will make sure we also block MIME types starting with "audio/" or "video/", or MIME types that are text/csv. Due to browsers not paying any attention to "script" MIME types this is blocklist-based, but it's better than nothing. (Use `X-Content-Type-Options: nosniff` to make it safelist-based.) PR: #379
whatwg · Aug 31, 2016 · 2e85cef · 2e85cef
1 parent 8243753
commit 2e85cef
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/Overview.html b/Overview.html
@@ -7,7 +7,7 @@
 
 <p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
 <h1 id="cors">Fetch</h1>
-<h2 class="no-num no-toc" id="living-standard-—-last-updated-26-august-2016">Living Standard — Last Updated 26 August 2016</h2>
+<h2 class="no-num no-toc" id="living-standard-—-last-updated-31-august-2016">Living Standard — Last Updated 31 August 2016</h2>
 
 <dl>
  <dt>Participate:
@@ -1567,8 +1567,15 @@ <h3 id="should-response-to-request-be-blocked-due-to-mime-type?"><span class="se
 
  <li><p>Let <var>type</var> be <var>request</var>'s <a href="#concept-request-type" title="concept-request-type">type</a>.
 
- <li><p>If <var>type</var> is "<code title="">script</code>", and <var>MIMEType</var> starts with
- `<code title="">image/</code>`, then return <b title="">blocked</b>.
+ <li>
+  <p>If <var>type</var> is "<code title="">script</code>" and one of the following is true, then return
+  <b>blocked</b>:
+
+  <ul class="brief">
+   <li><var>MIMEType</var> starts with `<code title="">audio/</code>`, `<code title="">image/</code>`, or
+   `<code title="">video/</code>`.
+   <li><var>MIMEType</var> is `<code title="">text/csv</code>`.
+  </ul>
 
  <li><p>Return <b title="">allowed</b>.
 </ol>
@@ -5780,6 +5787,7 @@ <h2 class="no-num" id="acknowledgments">Acknowledgments</h2>
 Thomas Roessler,
 Thomas Wisniewski,
 Tobie Langel,
+Tom Schuster,
 Tomás Aparicio,
 保呂毅 (Tsuyoshi Horo),
 Tyler Close,

diff --git a/Overview.src.html b/Overview.src.html
@@ -1497,8 +1497,15 @@ <h3 id="should-response-to-request-be-blocked-due-to-mime-type?"><dfn title="sho
 
  <li><p>Let <var>type</var> be <var>request</var>'s <span title=concept-request-type>type</span>.
 
- <li><p>If <var>type</var> is "<code title>script</code>", and <var>MIMEType</var> starts with
- `<code title>image/</code>`, then return <b title>blocked</b>.
+ <li>
+  <p>If <var>type</var> is "<code title>script</code>" and one of the following is true, then return
+  <b>blocked</b>:
+
+  <ul class="brief">
+   <li><var>MIMEType</var> starts with `<code title>audio/</code>`, `<code title>image/</code>`, or
+   `<code title>video/</code>`.
+   <li><var>MIMEType</var> is `<code title>text/csv</code>`.
+  </ul>
 
  <li><p>Return <b title>allowed</b>.
 </ol>
@@ -5618,6 +5625,7 @@ <h2 class=no-num>Acknowledgments</h2>
 Thomas Roessler,
 Thomas Wisniewski,
 Tobie Langel,
+Tom Schuster,
 Tomás Aparicio,
 保呂毅 (Tsuyoshi Horo),
 Tyler Close,