Re: [w3c/manifest] Why does obtaining not check a MIME type? (#821) from Mike West on 2020-04-22 (public-webapps-github@w3.org from April 2020)

From: Mike West <notifications@github.com>
Date: Wed, 22 Apr 2020 00:06:26 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/821/617592910@github.com>

@mgiuca: I may be misunderstanding the architecture, but my concern here is that ignoring the MIME type allows an attacker to bring any resource into the renderer, and therefore exposes it to Spectre, etc (similar to the description in https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md#incompleteness-of-corb). This risk is reduced if we only bring resources into the renderer that claim to be reasonable for the kind of request that's being made; we could reject `text/html` and `application/octet-stream` out of hand, for instance, rather than attempting to parse them.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/821#issuecomment-617592910

Received on Wednesday, 22 April 2020 07:06:38 UTC