- From: Tom Schuster <notifications@github.com>
- Date: Thu, 07 Feb 2019 10:30:39 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/870@github.com>
I am cautiously optimistic that we can change the allowed JavaScript MIME types from a block to an allow list. This list would include all the [JavaScript MIME types](https://mimesniff.spec.whatwg.org/#javascript-mime-type), plus `text/html`, `application/json`, `text/plain` and *empty* (no Content-Type). | MIME | Loads | % | |--------------------|-------------|--------| | javaScript | 9723904447 | 95.45% | | text\_html | 240640161 | 2.36% | | empty | 79707178 | 0.78% | | app\_json | 77716915 | 0.76% | | text\_plain | 44977157 | 0.44% | | unknown | 8032881 | 0.08% | | image | 6772345 | 0.07% | | app\_octet\_stream | 4899410 | 0.05% | | app\_xml | 787319 | 0.01% | | text\_json | 440959 | 0.00% | | text\_xml | 37279 | 0.00% | | audio | 7459 | 0.00% | | video | 61 | 0.00% | | text\_csv | 0 | 0.00% | | | 10187923571 | | Source: https://mzl.la/2SxxvNw Note: that we already block `image/`, which has almost the same percentage as unknown, which includes all not explicitly enumerated MIME types. @annevk @mikewest -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/870
Received on Thursday, 7 February 2019 18:31:01 UTC