Re: [whatwg/fetch] Cross-Origin Read Blocking (CORB) (#681)

@annevk, I think that the only part of CORB that still requires an official description is the sniffing algorithm that CORB uses to say with high confidence that the response really contains a html / xml / json document.  This sniffing differs slightly from the sniffing algorithms in the [mimesniff.spec](https://mimesniff.spec.whatwg.org/#identifying-a-resource-with-an-unknown-mime-type), because of the need to avoid accidentally sniffing JavaScript (allowed in cross-origin responses) as HTML (blocked by CORB in cross-origin responses).

Q: Is description of the sniffing algorithm the main/only blocker for implementing CORB in other browsers?

AFAIR, I've tried to argue that even if differences in sniffing implementations would not be (*) observable by web contents (assuming that the sniffing correctly classified a response as html/xml/json only if the response really is html/xml/json and not one of cross-origin-allowed types like javascript or css).  This led me to further argue that sniffing shouldn't be described in a normative part of a spec (but possibly still described in a non-normative spec section or in document).  So - I think describing the Chromium's CORB sniffing algorithm in the CORB explainer might be a good first step here.  WDYT?

Q: WDYT?  Where should the sniffing algorighm's description go (in the short term and in the long term)?

(*) OTOH, maybe the presence of wpt/fetch/corb/script-html-js-polyglot.sub.html test is a counter-example here - incorrect sniffing can lead to observable/incorrect behavior that this test is supposed to catch.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/681#issuecomment-424068323

Received on Monday, 24 September 2018 18:01:54 UTC