Re: [whatwg/fetch] More CORB-protected MIME types (#721)

> @anforowicz text/webvtt cannot be fetched cross-origin without CORS, unless I'm missing something.

TIL :-)  In that case I don't have concerns with including text/webvtt on the blacklist, next to HTML/XML/JSON/etc.

> I think the safelist approach is the way forward.

I agree.  From Chrome side we can probably use https://crbug.com/802836 for tracking.  Before we proceed I think we need to:
- Decide how to handle a responses with a missing `Content-Type` header
- Flesh out the contents of the blacklist.  I think so far we have:
    * [JavaScript MIME type](https://html.spec.whatwg.org/#javascript-mime-type)
      like `application/javascript` or `text/jscript`
    * `text/css`
    * [image types](https://mimesniff.spec.whatwg.org/#image-type) like types
      matching `image/*`
    * [audio or video types](https://mimesniff.spec.whatwg.org/#audio-or-video-type)
      like `audio/*`, `video/*` or `application/ogg`
    * `font/*` or one of legacy [font types](https://mimesniff.spec.whatwg.org/#font-type)
    * `multipart/*`
    * Other MIME types like `application/octet-stream`
    * I am also not sure what special treatment (if any) `application/x-shockwave-flash` should get

Also - if (for whatever reason) we decide to stick with the blacklist approach, then how can we decide what MIME types to cover in addition to HTML/XML/JSON?  So far I think I've heard:
- `text/webvtt` (and also `text/vtt`?  how likely is it that sensitive/origin-bound data is present here?)
- `application/pdf` (example of sensitive data: bank statement)
- `application/zip` (example of sensitive data: downloading a directory from Google Drive / Dropbox / etc.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/721#issuecomment-387440021

Received on Tuesday, 8 May 2018 15:21:41 UTC