Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block additional script MIMETypes (audio, video, csv) #379

Closed
wants to merge 2 commits into from

Conversation

evilpie
Copy link
Contributor

@evilpie evilpie commented Aug 29, 2016

Closes #337.
I also added audio/video, because per telemetry they are probably unused. I think it makes sense to block them alongside of image/. text/csv is blocked to mitigate the issue described in Bug 1048535.

@mikewest Are you on board with this?

@mikewest
Copy link
Member

Yup. Assuming the numbers you noted in the other bug stays stable through the release train, I'd like to do the same in Chrome.

@@ -1498,7 +1498,9 @@ <h3 id="should-response-to-request-be-blocked-due-to-mime-type?"><dfn title="sho
<li><p>Let <var>type</var> be <var>request</var>'s <span title=concept-request-type>type</span>.

<li><p>If <var>type</var> is "<code title>script</code>", and <var>MIMEType</var> starts with
`<code title>image/</code>`, then return <b title>blocked</b>.
`<code title>audio/</code>`, `<code title>image/</code>` or `<code title>video/</code>`, then return <b title>blocked</b>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I like Oxford commas ("audio, image, or ...").

@annevk
Copy link
Member

annevk commented Aug 30, 2016

Please also add yourself to the acknowledgments. If it's all too much hassle, let me know and I'll handle the nits.

@evilpie
Copy link
Contributor Author

evilpie commented Aug 30, 2016

Thanks for the quick feedback! I tried to fix your comments, but I am quite sure if I should use the brief class.

annevk pushed a commit that referenced this pull request Aug 31, 2016
When request's type is "script", this will make sure we also block
MIME types starting with "audio/" or "video/", or MIME types that are
text/csv. Due to browsers not paying any attention to "script" MIME
types this is blocklist-based, but it's better than nothing. (Use
`X-Content-Type-Options: nosniff` to make it safelist-based.)

PR: #379
@annevk
Copy link
Member

annevk commented Aug 31, 2016

Ta, landed as 2e85cef.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants