Define parsing for X-Content-Type-Options in detail #818
Conversation
And add some of the infrastructure needed to define parsing better for all headers going forward (needed for #814). Fixes #752. This also fixes an issue with CORB as it simply assumed an X-Content-Type-Options was present. Tests: web-platform-tests/wpt#13559.
|
The only somewhat icky bit here in my opinion is using "isomorphic encode" to avoid the lack of byte sequence manipulation infrastructure. It seems fine for now, but worth keeping an eye on. I also filed a follow-up, unrelated to that: #817. cc @MattMenke2 |
fetch.bs
Outdated
|
|
||
| <li> | ||
| <p>Let <var>tokens</var> be the result of | ||
| <a lt="split on commas">Spliting <var>stringValue</var> on commas</a>. |
fetch.bs
Outdated
|
|
||
| <li><p>If <var>value</var> is null, then return false. | ||
|
|
||
| <li><p>Let <var>stringValue</var> be the <a>isomorphic encode</a> of <var>value</var>. |
There was a problem hiding this comment.
I wonder if this should be part of the generic get algorithm?
There was a problem hiding this comment.
It should be isomorphic decode. I think for some header values we want to always decode using UTF-8?
There was a problem hiding this comment.
I'd support adding a "get as string|getting as string" for header lists though to make this easier for simple cases.
|
@MattMenke2 so I updated the tests and ran them again and Chrome and Safari both treat |
Running just Chrome's MIME sniffer through a test case (With a real HTTP server), "X-Content-Type-Options: nosniff\x0C" doesn't result in MIME sniffing, and there is no code anywhere in Chrome's network stack that could account for that. However, it looks to me like Blink's code uses "nosniff" in a couple places, and that code does use a more permissive definition of space: inline bool IsASCIISpace(CharType c) { So it looks to me like what's happening is the network stack sniffs the type, and gives "text/plain" to the renderer. Blink then applies its own header parsing logic, sees the header as being a nosniff header, and decides that "text/plain" just isn't going to cut it in a script tag. For more well-behaved tags that don't have their own nosniff logic in Blink, like images (I assume), the network stack's interpretation will be respected, but in at least the particular case of Javascript, no so much... So that gets us back where we started. |
|
That seems somewhat bad… I guess fingers crossed that we can align on not treating 0x0B and 0x0C as whitespace across all code bases? |
|
I agree. Actually, it seems very bad to me. I still suspect we won't see much breakage here (I mean, really, who uses that character?), but it does mean this has the potential to break pages. I'm much less gung ho about removing support for it now, but I still think doing so is best for the long term health of the platform, if we can manage it. I've made enough changes to Chrome's header parsing (One more is in the pipeline) in this version that I'm not comfortable making more until the current set has made it to stable or at least been on beta for a while, but we are going to have to change Chrome's behavior here, regardless, at some point. |
|
This bifurcated space handling logic also applies to a number of other response headers in blink. Cache headers, Accept headers, and quite possibly others. Blink doesn't have an HTTP-specific whitespace checking method, so it will be difficult to locate them all. |
|
As a heads up, I plan to merge this tomorrow or Friday, as it sets out new infrastructure for header parsing it's kind of nice to have it landed so the other bits can start to be converted. |
https://bugs.webkit.org/show_bug.cgi?id=191107 Patch by Rob Buis <[email protected]> on 2018-11-06 Reviewed by Darin Adler. LayoutTests/imported/w3c: Update improved result. * web-platform-tests/fetch/nosniff/parsing-nosniff-expected.txt: Source/WebCore: Implement new parsing rules for X-Content-Type-Options [1]: whatwg/fetch#818 [1] https://fetch.spec.whatwg.org/#x-content-type-options-header Test: web-platform-tests/fetch/nosniff/parsing-nosniff.html * platform/network/HTTPParsers.cpp: (WebCore::isHTTPTabOrSpace): (WebCore::parseContentTypeOptionsHeader): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@237850 268f45cc-cd09-0410-ab3c-d52691b4dbfc
…stonly Automatic update from web-platform-testsFetch: X-Content-Type-Options: nosniff parsing For whatwg/fetch#818. -- wpt-commits: 10f708e6f13141fc92ca9318c7606590f659fcf2 wpt-pr: 13559
…stonly Automatic update from web-platform-testsFetch: X-Content-Type-Options: nosniff parsing For whatwg/fetch#818. -- wpt-commits: 10f708e6f13141fc92ca9318c7606590f659fcf2 wpt-pr: 13559
…stonly Automatic update from web-platform-testsFetch: X-Content-Type-Options: nosniff parsing For whatwg/fetch#818. -- wpt-commits: 10f708e6f13141fc92ca9318c7606590f659fcf2 wpt-pr: 13559 UltraBlame original commit: c10367efab032503002f5a5836ea3cff8fd501f9
…stonly Automatic update from web-platform-testsFetch: X-Content-Type-Options: nosniff parsing For whatwg/fetch#818. -- wpt-commits: 10f708e6f13141fc92ca9318c7606590f659fcf2 wpt-pr: 13559 UltraBlame original commit: c10367efab032503002f5a5836ea3cff8fd501f9
…stonly Automatic update from web-platform-testsFetch: X-Content-Type-Options: nosniff parsing For whatwg/fetch#818. -- wpt-commits: 10f708e6f13141fc92ca9318c7606590f659fcf2 wpt-pr: 13559 UltraBlame original commit: c10367efab032503002f5a5836ea3cff8fd501f9
And add some of the infrastructure needed to define parsing better for all headers going forward (needed for #814). Fixes #752.
This also fixes an issue with CORB as it simply assumed an X-Content-Type-Options was present.
Tests: web-platform-tests/wpt#13559.
Preview | Diff