- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 11 Nov 2019 04:59:17 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/964@github.com>
https://github.com/whatwg/fetch/issues/721#issuecomment-470126129 has a sketch for the CORB++ idea. Basically, all opaque responses apart from a couple "safelisted responses" are blocked by the networking layer and turned into network errors. In https://bugzilla.mozilla.org/show_bug.cgi?id=1531405 Mozilla looked at `Content-Type` headers for opaque responses that might end up being used as style sheets. For Firefox 71 beta, the breakdown is as follows (similar breakdown for other releases so I suspect this is representative enough): * No header: 0.17% * Empty header: 0.00% (some samples) * Failed to parse: 0.00% (some samples) * `text/css`: 99.48% * Other: 0.35% The main problem I see here is "No header". The platform treats this as `text/css` and 0.17% seems too high to block. (Note that "Other" is already blocked. Empty/Failed are not blocked currently I think, but could be.) This means that we either have to sniff CSS in addition to JavaScript or give up completely on resources without a `Content-Type` header. That is, in order to protect against Spectre and memory exploits you need a `Content-Type` header set on any resource you put online (and ideally you also have `X-Content-Type-Options` set or CORP obviously as otherwise it still gets sniffed and might end up exposed if it parses as JavaScript). @bzbarsky @valenting @jakearchibald @anforowicz @youennf thoughts? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/964
Received on Monday, 11 November 2019 12:59:19 UTC