Re: [whatwg/fetch] Define the Content-Type header parser (#831) from Domenic Denicola on 2018-11-22 (public-webapps-github@w3.org from November 2018)

From: Domenic Denicola <notifications@github.com>
Date: Wed, 21 Nov 2018 16:25:24 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/831/review/177469500@github.com>

domenic approved this pull request.

Really great, thanks for all the iteration! Only a couple minor suggestions.

> @@ -471,6 +679,26 @@ each other by 0x2C 0x20, in order.
      "<code>text/plain</code>", then return false.
     </ol>
 
+    <p class=warning>This intentionally does not use <a>extract a MIME type</a> as that algorithm is
+    rather forgiving and servers are not expected to implement it.
+
+    <div class="example no-backref" id=example-cors-safelisted-request-header-content-type>
+     <p>If <a>extract a MIME type</a> were used the following request would not result in a CORS
+     preflight and a naïve parser on the server might treat the request body as JSON:
+
+     <pre><code>

Put `highlight="js"` here? A general problem in the Fetch spec though. https://tabatkins.github.io/bikeshed/#syntax-highlighting

> +   <li><p>Otherwise, if <var>mimeType</var>'s
+   <a for="MIME type">parameters</a>["<code>charset</code>"] does not <a for=map>exist</a>, and
+   <var>charset</var> is non-null, set <var>mimeType</var>'s
+   <a for="MIME type">parameters</a>["<code>charset</code>"] to <var>charset</var>.
+  </ol>
+
+ <li><p>If <var>mimeType</var> is null, then return failure.
+
+ <li><p>Return <var>mimeType</var>.
+</ol>
+
+<p class=warning>When <a>extract a MIME type</a> returns failure or a <a for=/>MIME type</a> whose
+<a for="MIME type">essence</a> is incorrect for a given format, treat this as a fatal error.
+Existing web platform features have not always followed this pattern, which has been a major source
+of security vulnerabilities in those features over the years. A <a for=/>MIME type</a>'s
+<a for="MIME type">parameters</a> are typically ignored and this has not been a problem in practice.

OK, now I made it a bit weird, sorry. Maybe keep it in the red warning, but put that sentence in parenthesis, and optionally prefix it with "In contrast, ".

(Or just merge as-is, this works fine.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/831#pullrequestreview-177469500

Received on Thursday, 22 November 2018 00:25:46 UTC