Re: [w3c/ServiceWorker] importScript MIME type checking failure (#1288) from Matt Falkenhagen on 2018-03-19 (public-webapps-github@w3.org from March 2018)

From: Matt Falkenhagen <notifications@github.com>
Date: Mon, 19 Mar 2018 01:43:30 +0000 (UTC)
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1288/374078010@github.com>

I think the spec required MIME type checking to prevent a situation where a user could exploit something like image uploads to place a script somewhere on the server and then install a service worker.

It seems sensible to extend the MIME check to importScripts as well as the main script.

Chrome has been considering lack of this check as an implementation bug. We just haven't gotten to it yet.

So I think it's OK to leave it in the spec. The WPT test also expects it:
https://wpt.fyi/service-workers/service-worker/registration-mime-types.https.html 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1288#issuecomment-374078010

Received on Monday, 19 March 2018 01:44:00 UTC