CORB++: CSS #964
Comments
Huh, is that spec'd? https://html.spec.whatwg.org/multipage/links.html#link-type-stylesheet:process-the-linked-resource suggests the content type must be |
|
|
|
Hah. So what's the actual behaviour here then? Is it: Cross origin styleheets are blocked if the |
|
In Gecko, the behavior is "Blocked if there is a content-type header result of parsing the content-type header produces a nonempty string". I suspect based on code inspection, but have not tested, that something like: would get treated as "empty string" in Gecko, for example. And not sure about this one: If we want to know the actual behavior across browsers, we'll need to write some testcases and maybe do some code-sleuthing. |
|
Interesting! Given the error resilience of CSS, sniffing it sounds hard. Could CSS resources be sanitised out-of-process? As in, ditch everything that doesn't roughly-parse before it enters the process? |
|
It's not immediately clear how that would help as we don't necessarily know where a response will end up getting used due to service workers. All we have is a response and we need to determine whether to allow it through. I suppose instead of the final step of https://github.com/annevk/orb we could return the resource after it has been parsed as CSS rather than blocking it (and modify some of the other steps to not require a MIME type). Hmm... |
|
Closing this in favor of annevk/orb#28. |
#721 (comment) has a sketch for the CORB++ idea. Basically, all opaque responses apart from a couple "safelisted responses" are blocked by the networking layer and turned into network errors.
In https://bugzilla.mozilla.org/show_bug.cgi?id=1531405 Mozilla looked at
Content-Typeheaders for opaque responses that might end up being used as style sheets. For Firefox 71 beta, the breakdown is as follows (similar breakdown for other releases so I suspect this is representative enough):text/css: 99.48%The main problem I see here is "No header". The platform treats this as
text/cssand 0.17% seems too high to block. (Note that "Other" is already blocked. Empty/Failed are not blocked currently I think, but could be.) This means that we either have to sniff CSS in addition to JavaScript or give up completely on resources without aContent-Typeheader. That is, in order to protect against Spectre and memory exploits you need aContent-Typeheader set on any resource you put online (and ideally you also haveX-Content-Type-Optionsset or CORP obviously as otherwise it still gets sniffed and might end up exposed if it parses as JavaScript).@bzbarsky @valenting @jakearchibald @anforowicz @youennf thoughts?
The text was updated successfully, but these errors were encountered: