Intent to Ship: Stricter *+json MIME token validation for JSON modules

68 views
Skip to first unread message

Chromestatus

unread,
Sep 22, 2025, 12:00:30 PM (23 hours ago) Sep 22
to blin...@chromium.org, dan...@microsoft.com, issac...@microsoft.com
Contact emails
issac...@microsoft.com, dan...@microsoft.com

Explainer
None

Specification
https://mimesniff.spec.whatwg.org/#parse-a-mime-type

Summary
Reject JSON module script responses whose MIME type’s type or subtype contains non‑HTTP token code points (e.g. spaces) when matched via *+json; aligns with MIME Sniffing spec and other engines. This change is part of the Interop2025 modules focus area. Related Issues: https://bugs.webkit.org/show_bug.cgi?id=297161 Related PR: https://github.com/web-platform-tests/wpt/pull/54219 Draft CL: https://chromium-review.googlesource.com/c/chromium/src/+/6931461

Blink component
Blink>Network

Web Feature ID
Missing feature

Search tags
json, mime, sniffing, spec-compliance, interoperability

TAG review
None

TAG review status
Not applicable

Risks


Interoperability and Compatibility
Interoperability risk is low. very low compat risk; only malformed MIME types with +json in module scripts newly rejected. Other browsers are already stricter. Additionally, until recently (https://groups.google.com/u/0/a/chromium.org/g/blink-dev/c/-lZFLXH7_Y8/m/hw3Tcl64AQAJ), all such +json MIME types would have been treated as failures, making it highly unlikely that there are widespread dependencies on this invalid subset.

Gecko: Shipped/Shipping

WebKit: Shipped/Shipping

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None



Debuggability
None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes

Is this feature fully tested by web-platform-tests?
Yeshttps://wpt.fyi/results/html/semantics/scripting-1/the-script-element/json-module/invalid-content-type.any.html https://wpt.fyi/results/html/semantics/scripting-1/the-script-element/json-module/invalid-content-type.any.sharedworker.html https://wpt.fyi/results/html/semantics/scripting-1/the-script-element/json-module/invalid-content-type.any.worker.html

Flag name on about://flags
None

Finch feature name
StrictJsonMimeTypeTokenValidation

Rollout plan
Will ship enabled for all users

Requires code in //chrome?
False

Tracking bug
https://issues.chromium.org/issues/440128360

Estimated milestones
Shipping on desktop142
Shipping on Android142
Shipping on WebView142


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5182756304846848?gate=5090319381168128

This intent message was generated by Chrome Platform Status.

Alex Russell

unread,
Sep 22, 2025, 2:41:31 PM (21 hours ago) Sep 22
to blink-dev, Chromestatus, dan...@microsoft.com, issac...@microsoft.com
LGTM1

Mike Taylor

unread,
Sep 22, 2025, 3:25:47 PM (20 hours ago) Sep 22
to Alex Russell, blink-dev, Chromestatus, dan...@microsoft.com, issac...@microsoft.com

LGTM2

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/484c3035-a8f8-4f82-aec9-3661fe6731c1n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages