eng (and PM) emailsmk...@chromium.org
Currently, `<script src="whatever"></script>` will execute the resource at `whatever` as long as it returns a non-`image/*` MIME-type (and doesn't opt-in to additional protection by sending an `X-Content-Type-Options: nosniff` header). I'd like to tighten this to exclude `text/csv` as well as `audio/*` and `video/*` by default.
It's possible that some folks are (inadvertently?) serving real scripts with a `text/csv`, `audio/*` or `video/*` MIME type. Firefox recently added metrics for this, and their data shows basically zero usage: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-08-24&keys=__none__!__none__!__none__&max_channel_version=nightly%252F51&measure=SCRIPT_BLOCK_WRONG_MIME&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-08-22&table=1&trim=1&use_submission_date=0. We'd want to keep an eye on that as this rolls through our release channels.
According to https://github.com/whatwg/fetch/pull/379, Mozilla is interested in shipping this change.
Alternative implementation suggestion for web developers
Usage information from UseCounter
See Firefox's data above. We don't yet have a counter.
OWP launch tracking bughttps://crbug.com/433049
Entry on the feature dashboard
Requesting approval to remove too?
LGTM2It looks like https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type? is the spec for this. Is there a chance that we could end up with a whitelist, is that what "Mozilla's data set" is?
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
I should have noted that we do have data here, it's just not granular
enough. That is, we know that:
* ~91.5% of page views either don't load scripts, or load scripts with
expected MIME types.
* ~1.97% of page views load scripts with an unexpected `application/*` type
* ~3.17% of page views load scripts with an unexpected `text/*` type
* ~3.34% of page views load scripts with some other (or no specified) type
These are culled from the
Those numbers worry me, you see. So I'd like to be a little careful about
breaking the internet by breaking that big number down into smaller buckets
whose risk we can more easily weigh. :)
I tried checking for MIME types in httparchive.
I couldn't find an easy way to isolate <script src> fetches but checked Accept: */* request header instead, as I believe that is used for <script src> and some other things but not all things (does somebody know which fetches use Accept: */* in Chrome?).