- From: Lukasz Anforowicz <notifications@github.com>
- Date: Mon, 07 May 2018 17:35:25 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/686/review/118080890@github.com>
anforowicz commented on this pull request. > + <a>HTTP(S) scheme</a>, then return <b>allowed</b>. + + <li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a> + from <var>response</var>'s <a for=response>header list</a>. + + <li><p>If <var>response</var>'s <a for=response>status</a> is <code>206</code> and + <var>mimeType</var> (ignoring parameters) is a <a>CORB-protected MIME type</a>, then return + <b>blocked</b>. + + <li><p>Let <var>nosniff</var> be the result of <a>extracting header values</a> from the + <em>first</em> <a for=/>header</a> whose <a for=header>name</a> is a <a>byte-case-insensitive</a> + match for `<a http-header><code>X-Content-Type-Options</code></a>` in <var>response</var>'s + <a for=response>header list</a>. + + <li><p>If <var>nosniff</var> is not failure and <var>mimeType</var> (ignoring parameters) is a + <a>CORB-protected MIME type</a> or <code>text/plain</code>, then return <b>blocked</b>. Done. @csreis might have an opinion on what is the right thing to do here - one one hand we want to protect as many sensitive resources as possible, OTOH dropping text/plain protections would avoid extra special-cases in the spec and in the code. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/686#discussion_r186492375
Received on Monday, 7 May 2018 17:35:50 UTC