- From: Lukasz Anforowicz <notifications@github.com>
- Date: Fri, 18 Jan 2019 15:59:51 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/860@github.com>
In https://github.com/whatwg/fetch/issues/721 we have been discussing how to extend CORB to other types using a "safelist" approach (e.g. attempting to protect/block everything that is not a "safelisted" content type like an image, stylesheet, script, etc). The "safelist" (e.g. the 2 flavours pointed out in https://github.com/whatwg/fetch/issues/721#issuecomment-390263197) seems like the right long-term approach, but it seems very unfortunate that some sensitive content types are not protected in the short-term. For example - it seems very desirable to protect PDF documents as they are likely to contain sensitive information (e.g. financial statements). I think I would like to just go ahead and add protection of "application/pdf" to Chromium's CORB implementation (with no sniffing). Does that seem reasonable to all of you? If I hear no objections, then I'll try to work on that (implementation + WPT coverage) and possibly adding that mime type to https://fetch.spec.whatwg.org/#corb later on. Do you have any suggestions for how to decide on additional types that should be protected by CORB? PDF seems like an important one, but hopefully such types can be identified in a structured way (rather than unilaterally and possibly incorrectly deciding that PDF is important but ZIP and CSV maybe not so much). I wonder if there are public data sources that have statistics on the most commonly used MIME types on the web (I couldn't find this after a cursory glance at https://archive.org/). cc @annevk @csreis @jakearchibald -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/860
Received on Saturday, 19 January 2019 00:00:13 UTC