- From: Jake Archibald <notifications@github.com>
- Date: Thu, 10 May 2018 08:37:35 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/721/388091805@github.com>
So the safelist approach would be:
1. If destination is style, and mime type is not `text/css`, return blocked.
1. If the response has opted out of sniffing, and the mime-type is not one of the allowed no-cors types, return blocked.
1. Use the destination of the response to filter the set of sniffing algorithms to try (so if the destination is 'image', only keep the image sniffing algorithms. This is a performance optimisation, nothing to do with security).
1. Try each of the sniffing algorithms. If any match, return allowed.
1. Return blocked.
In cases where the destination doesn't filter the sniffing algorithms (eg `fetch(url, {mode: 'no-cors'})`, it might be slow due to the amount of checking. We either just take the hit here, or find a way to keep an opaque response's body in another process until we can perform a specific sniff.
> I think fonts are CORS-bound and therefore do not need to be considered, but perhaps not in Safari still.
Yeah they're CORS requests according to the spec. If Safari's still violating the spec there, they'll probably have to violate/extend the spec here too, to add font mime type checking and content sniffing.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/721#issuecomment-388091805
Received on Thursday, 10 May 2018 15:37:58 UTC