Re: [whatwg/fetch] More CORB-protected MIME types (#721) from Lukasz Anforowicz on 2018-05-07 (public-webapps-github@w3.org from May 2018)

From: Lukasz Anforowicz <notifications@github.com>
Date: Mon, 07 May 2018 18:50:31 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/721/387165076@github.com>

No good reason for not covering other MIME types - covering only HTML/XML/JSON was an outcome of trying to protect the most resources likely to contain sensitive data while at the same time minimizing the risk of breaking existing websites.  I very much agree that CORB should be extended to cover more resources, although I think we'd like to wait with this until HTML/XML/JSON implementation from Chromium reaches Chrome stable channel and doesn't uncover any worrisome issues.

I think we have the following options for extending CORB to other MIME types:
- Explicitly adding MIME types one-by-one (csv, pdf, zip, etc.).
    - It seems that mislabeling of images/audio/video/scripts with these MIME types is unlikely,
      so maybe CORB confirmation sniffing is not necessary for them
    - This doesn't scale and won't help protect 1) many existing types or 2) a hypothetical new JSON-or-XML-like-format-from-the-future
- Changing CORB so that instead of using a blacklist (HTML/XML/JSON currently) it uses a whitelist (everything other than javascript/css/images/audio/video/fonts/... - see the [explainer section here](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#Appendix_Future-work-protecting-more-resource-types))
    - This seems to be much cleaner/pure design, but it also seems riskier than other approaches - it requires enumerating all the legacy types that cross-origin-safe resources are served with (for example the `application/octet-stream` case that [burned Firefox back in the day](https://bugzilla.mozilla.org/show_bug.cgi?id=1302539)).
- Using an opt-in header (like maybe the [From-Origin](https://github.com/whatwg/fetch/issues/687) header)

PS. I am not sure I understand the `text/webvtt` example.  Isn't this an example of a resource that (like video/audio/images) *can* be embedded cross-origin?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/721#issuecomment-387165076

Received on Monday, 7 May 2018 18:50:57 UTC