Re: [whatwg/fetch] Define parsing for X-Content-Type-Options in detail (#818) from Domenic Denicola on 2018-10-17 (public-webapps-github@w3.org from October 2018)

From: Domenic Denicola <notifications@github.com>
Date: Wed, 17 Oct 2018 07:06:19 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/818/review/165647282@github.com>

domenic commented on this pull request.

Don't feel super competent to review the actual processing model but overall seems good. Editorial review done.

> @@ -2498,7 +2508,32 @@ response <a for=/>header</a> can be used to require checking of a <a for=/>respo
 `<code>Content-Type</code>` <a for=/>header</a> against the <a for=request>destination</a> of a
 <a for=/>request</a>.
 
-<p>Its <a for=header>value</a> <a>ABNF</a>:
+<p>To <dfn>determine nosniff</dfn>, given a <a for=/>header list</a> <var>list</var>, run these
+steps:
+
+<ol>
+ <li><p>Let <var>value</var> be the result of <a for="header list">getting</a>
+ `<a http-header><code>X-Content-Type-Options</code></a>` from <var>list</var>.
+
+ <li><p>If <var>value</var> is null, then return false.
+
+ <li><p>Let <var>stringValue</var> be the <a>isomorphic encode</a> of <var>value</var>.
+
+ <li>
+  <p>Let <var>tokens</var> be the result of
+  <a lt="split on commas">Spliting <var>stringValue</var> on commas</a>.

lowercase "s"

> +
+ <li>
+  <p>Let <var>tokens</var> be the result of
+  <a lt="split on commas">Spliting <var>stringValue</var> on commas</a>.
+
+  <p class="note">This intentionally strips U+000C FORM FEED, despite 0x0C not being being a
+  <a>HTTP whitespace byte</a>.
+
+ <li><p>If <var>tokens</var>[0] is an <a>ASCII case-insensitive</a> match for
+ "<code>nosniff</code>", then return true.
+
+ <li><p>Return false.
+</ol>
+
+<p>Web developers and conformance checkers must use the following <a for=header>value</a>
+<a>ABNF</a> for `<a http-header><code>X-Content-Type-Options</code></a>`:
 
 <pre>
 X-Content-Type-Options           = "nosniff" ; case-insensitive</pre>

Why are there so many spaces here? (Preexisting problem)

>   <li>
-  <p>If <var>nosniff</var> is not failure and <var>mimeType</var> (ignoring parameters) is a
-  <a>CORB-protected MIME type</a> or <code>text/plain</code>, then return <b>blocked</b>.
+  <p>If <a>determine nosniff</a> with <var>response</var>'s <a for=response>header list</a> is true
+  and <var>mimeType</var> (ignoring parameters) is a <a>CORB-protected MIME type</a> or

"(ignoring parameters)" is technically redundant here as the definition of each of these MIME types is checking the essence. But, maybe best to leave in for clarity.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/818#pullrequestreview-165647282

Received on Wednesday, 17 October 2018 14:06:44 UTC