Re: [whatwg/fetch] Define parsing for X-Content-Type-Options in detail (#818) from Mike West on 2018-10-18 (public-webapps-github@w3.org from October 2018)

From: Mike West <notifications@github.com>
Date: Thu, 18 Oct 2018 00:44:31 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/818/review/165956951@github.com>

mikewest approved this pull request.

One style nit, but the substance looks correct to me. Thank you!

> @@ -2498,7 +2508,32 @@ response <a for=/>header</a> can be used to require checking of a <a for=/>respo
 `<code>Content-Type</code>` <a for=/>header</a> against the <a for=request>destination</a> of a
 <a for=/>request</a>.
 
-<p>Its <a for=header>value</a> <a>ABNF</a>:
+<p>To <dfn>determine nosniff</dfn>, given a <a for=/>header list</a> <var>list</var>, run these
+steps:
+
+<ol>
+ <li><p>Let <var>value</var> be the result of <a for="header list">getting</a>
+ `<a http-header><code>X-Content-Type-Options</code></a>` from <var>list</var>.
+
+ <li><p>If <var>value</var> is null, then return false.
+
+ <li><p>Let <var>stringValue</var> be the <a>isomorphic encode</a> of <var>value</var>.

I wonder if this should be part of the generic `get` algorithm?

> + <li><p>Let <var>value</var> be the result of <a for="header list">getting</a>
+ `<a http-header><code>X-Content-Type-Options</code></a>` from <var>list</var>.
+
+ <li><p>If <var>value</var> is null, then return false.
+
+ <li><p>Let <var>stringValue</var> be the <a>isomorphic encode</a> of <var>value</var>.
+
+ <li>
+  <p>Let <var>tokens</var> be the result of
+  <a lt="split on commas">Spliting <var>stringValue</var> on commas</a>.
+
+  <p class="note">This intentionally strips U+000C FORM FEED, despite 0x0C not being being a
+  <a>HTTP whitespace byte</a>.
+
+ <li><p>If <var>tokens</var>[0] is an <a>ASCII case-insensitive</a> match for
+ "<code>nosniff</code>", then return true.

I think this is accurate: Chrome only looks at the first item (see https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/network/http_parsers.cc?rcl=80ce30280a48850aad465138b84fe209474733e8&l=384), and it looks like that's what's going on in Firefox as well (https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannel.cpp#1444).

> @@ -2498,7 +2508,32 @@ response <a for=/>header</a> can be used to require checking of a <a for=/>respo
 `<code>Content-Type</code>` <a for=/>header</a> against the <a for=request>destination</a> of a
 <a for=/>request</a>.
 
-<p>Its <a for=header>value</a> <a>ABNF</a>:
+<p>To <dfn>determine nosniff</dfn>, given a <a for=/>header list</a> <var>list</var>, run these
+steps:

The usage below ("If <a>determine nosniff</a> with <var>response</var>'s <a for=response>header list</a> is
 false") reads a bit strangely. Perhaps we could reformulate this as "A given header list <dfn>enforces strict MIME type checking</dfn> if the following steps return `true`:", which would lead to "If <var>response</var>'s <a for=response>header list</a> <a>enforces strict MIME type checking</a>...", which reads more naturally to me.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/818#pullrequestreview-165956951

Received on Thursday, 18 October 2018 07:44:52 UTC