-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict allowed JavaScript MIME types #870
Comments
I wonder if there's anything we can do to get all those text/html ones down. |
Chrome's numbers look a bit different: Cross-origin scripts
Same-origin scripts
We might just be measuring different things. It looks like Mozilla's metrics use the number of scripts loaded as the denominator, while Chrome is measuring the number of pages on which any script had the given MIME type? |
That number is incredibly high. Sadly you don't seem to count Would you assume that breaking cross-origin scripts would usually be less of a problem, assuming that a lot of those are tracking scripts?
Yes correct, this counts every script load. Actually this number also includes ServiceWorker, Worker etc., but those numbers are so small compared to normal I am still surprised that the difference seems so high, but I don't have a good intuition on how those two measurements compare. |
Yes. "Other" is everything else, including
Yes, that's exactly my intuition. Hence the separate metrics. :)
I can imagine that Chromium's page-views-based number would look much higher than Mozilla's script-load-based number if there are a small number of very widely used scripts with incorrect MIME types. Facebook was in this category, as is VK, and a zillion ad scripts. I think it's worth experimenting in this direction, and explicitly allowing |
It seems that even if we figure this out #721 (comment) (CORB++) will still be needed due to |
I am cautiously optimistic that we can change the allowed JavaScript MIME types from a block to an allow list.
This list would include all the JavaScript MIME types, plus
text/html
,application/json
,text/plain
and empty (no Content-Type).Note: that we already block
image/
, which has almost the same percentage as unknown, which includes all not explicitly enumerated MIME types.@annevk @mikewest
The text was updated successfully, but these errors were encountered: