- From: Lukasz Anforowicz <notifications@github.com>
- Date: Wed, 16 May 2018 09:57:41 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/721/389591242@github.com>
> > I don't understand why we'd switch this approach to sniffing for allowed resources: > Isn't it better to further limit the amount of no-cors data that can end up in the process? It just seems like no-cors is a source of so many security issues, so trying to restrict it as much as possible seems like a good thing. I agree that it is better to limit the about of no-cors data that can end up in a cross-origin process. I don't understand why [above](https://github.com/whatwg/fetch/issues/721#issuecomment-388091805) you are proposing to use "image sniffing algorithms" rather than continue using the current CORB approach of only doing _confirmation_ sniffing. In other words, I don't understand what is wrong with the following sniffing scheme for CORB: - `Content-Type: text/html` => sniff to confirm that the response really contains html (and not a html/js polyglot or an image for example). block only if 100% confident that the response really contains html. - `Content-Type: text/json`, `Content-Type: application/xml` => sniff similarily to the above (i.e. only attempt to confirm the declared Content-Type) - New Content-Type (e.g. PDF/ZIP/etc.) - block outright without any CORB sniffing (assuming that mislabeling an image as PDF is unlikely / behaving as-if nosniff was present in response headers). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/721#issuecomment-389591242
Received on Wednesday, 16 May 2018 16:58:04 UTC