- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 10 May 2018 13:15:16 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 10 May 2018 13:15:45 UTC
`text/vtt` is the correct MIME type. `text/webvtt` is something I made up. I don't think it's likely to contain private information, but if we stick to a blocklist we should block as many MIME types as we can. I think these are all the no-cors consumers: * Plugins * Images * Media (except for subtitles, those are CORS-bound) * CSS (this requires a correct MIME type cross-origin fortunately so only need to safelist text/css for this not to break) * Classic JavaScript I think fonts are CORS-bound, but perhaps not in Safari still. However, all of the above are pretty notorious for being served with the wrong MIME type. Perhaps it's slightly better if require `X-Content-Type-Options` as well as allow some of the wrong MIME types (such as `application/octet-stream`), but then the question becomes how many sites specify `X-Content-Type-Options`. (Since otherwise sites still need to perform work in order to get protection.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/721#issuecomment-388049750
Received on Thursday, 10 May 2018 13:15:45 UTC