Re: [whatwg/fetch] CORB: nosniff handling (#686)

> If we need CORB-filtered responses and other implementers are on board with them we should add them. It seems to me those would not expose any headers, but perhaps I'm missing something?

Ack.  I'll put that on a backburner for now and I'll try to focus on the current, incremental change that focues on nosniff-related behavior.

Regarding the question - CORB-filtered responses _do_ include some headers - see the "[How does CORB “block” a response](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#How-does-CORB-block-a-response)" section in the explainer.

--------------------------

> Once we add them we'd need to do nosniff differently, indeed, but I think the more we can handle as a network error the better, so what we say is a network error in this PR ideally remains to be so over time.

> (And doing this all incrementally seems like a very good approach to me, especially as a change like this can be isolated from a much more invasive change such as CORB-filtered responses or sniffing.)

Yes - I very much agree with this.

--------------------------

> What https://cs.chromium.org/chromium/src/services/network/cross_origin_read_blocking.cc?q=%22json%2B%22&sq=package:chromium&dr=C&l=83 considers JSON is a superset of what this PR considers JSON. Is that intentional? (I think this also goes for XML.)

> "needs tests" label

I am trying to 1) restrict which MIME types are CORB-protected and 2) add WPT tests for this in https://crrev.com/c/985211.  Please chime in if you have any feedback (e.g. I am slightly tweaking and reusing nosniff/image.py).

One thing I've realized after working on this CL is that my initial PR was too broad - CORB is limited to cross-origin, non-CORS-allowed responses (unlike other nosniff directives in the section I am changing).  I've pushed another revision of the PR which more closely reflects reality, but is unfortunately slightly more complex and inconsistent with the other nosniff directives.  This seems unfortunate, but may be still be the right way to proceed.  WDYT?

--------------------------

> Are you planning on changing the implementation to use a network error for the cases enumerated in the PR

I still think that the difference between net-error-VS-empty-body is not observable for images, media, etc.  Nevertheless, we've talked about this earlier today and we'll try to see what breaks if we try to change the CORB implementation to inject a net-error (either for a subset or for all of responses).  For now, I've opened https://crbug.com/827633 to track this work.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/686#issuecomment-377603600

Received on Friday, 30 March 2018 19:31:47 UTC