Intent to Implement and Ship: nosniff for style.
Mike West
Contact emails
mk...@chromium.orgSpec
https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?
Summary
A server which sends `X-Content-Type-Options: nosniff` along with a response is asserting to the browser that this resource must not be executed as script or applied as style unless it has a scripty or styley `Content-Type`, respectively.
Blink shipped support for `X-Content-Type-Options: nosniff` for JavaScript resources several years ago. Since then, other vendors have also begun supporting the header for stylesheets as well. We ought to follow along.
This change is quite narrow, only affecting same-origin resources in quirks-mode documents, as we already block anything but `text/css` in standards mode, and the quirk doesn't apply to cross-origin resources (see "Quirk" in https://html.spec.whatwg.org/#link-type-stylesheet).
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Demo link
https://w3c-test.org/fetch/nosniff/stylesheet.html
Debuggability
Blocked responses show up as errors in the waterfall and on the console.
Risks
Interoperability and Compatibility
Both Firefox and Safari ship this behavior today.
Edge: No signals; CCing Edge folks for opinions here (Hi, Patrick and Travis!)
Firefox: Shipped
Safari: Shipped
Web developers: No signals.
Ergonomics
No ergonomic concerns.
Activation
No activation concerns.
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
It is! We have a robust test suite at https://wpt.fyi/fetch/nosniff/.
Entry on the feature dashboard
https://www.chromestatus.com/features/5780195579527168
Yoav Weiss
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddda0pV_EbYrGSebLy_w%3D0NtFUCbsq90%2BfopKbOucKUVg%40mail.gmail.com.
Rick Byers
Seems like a useful mechanism for origins to opt-out of sniffing for style resources (and presumably avoid potential security issues that come along with such sniffing).Since developers have to opt-in to this change, this should have no compat issues, and from an interoperability perspective (as mentioned), 2 implementations are already shipping this.
LGTM1
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddda0pV_EbYrGSebLy_w%3D0NtFUCbsq90%2BfopKbOucKUVg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEhXGUkNxV_kv4F1WL6AqW_1SXusdVYD3AhaDjeoymTANg%40mail.gmail.com.
Philip Jägenstedt
LGTM1
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddda0pV_EbYrGSebLy_w%3D0NtFUCbsq90%2BfopKbOucKUVg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEhXGUkNxV_kv4F1WL6AqW_1SXusdVYD3AhaDjeoymTANg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY9QEEci3LHmPRoRY-dLMx0Q2Ua6K7uauUoRXbuSWVH%3DpA%40mail.gmail.com.