- From: Lukasz Anforowicz <notifications@github.com>
- Date: Thu, 28 Feb 2019 09:13:09 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/721/468356438@github.com>
@csreis and me discussed this yesterday and I'd like to share some more thoughts about the "safelist"-based approach (having CORB block everything other than known safe types like images/audio/video/javascript/stylesheets). These are just more notes about options 1 and 2 from https://github.com/whatwg/fetch/issues/721#issuecomment-390263197:
- Option 1: Look at Content-Type header to detect if response is a safe type
- This is easy to implement
- This seems likely to break existing websites (e.g. see the `application/octet-stream` trouble [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1302539)). To prevent breaking existing websites, the current html/xml/json confirmation sniffing would probably need to be retained.
- This should cover future image/audio/video types without any implementation changes (assuming they are not xml-based...)
- Option 2: Sniff to detect if response is a safe type
- Sniffing of Javascript and CSS seems difficult to implement in practice (?)
- Robust sniffing seems unlikely to break existing websites
- It is unclear if/how this might extend to future image/audio/video types (would they need to pretend that they sniff as one of earlier types so that CORB allows them? would we force CORS for them (not sure if this is doable for img tag)).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/721#issuecomment-468356438
Received on Thursday, 28 February 2019 17:13:31 UTC