Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Ship - Support XCTO: nosniff for navigations
50 views
Skip to first unread message
Sebastian Streich
Sep 5, 2019, 9:21:05 AM9/5/19
to dev-pl...@lists.mozilla.org
Currently the Support for “X-Content-Type-Options: nosniff“ is limited to
CSS and JS resources. In Firefox 70 I intend to enable nosniff support for
page navigations by default.
If a server's response does not include any mime-type but sets the response
header "XCTO: nosniff" then Firefox will prompt the user to download the
file instead of trying to sniff the mime-type, eliminating the attack
vector of so called mime-confusion attacks.
Supporting XCTO: nosniff not only for JS and CSS but also for top-level
navigations will create parity with other browsers (Chrome, Safari) who are
already supporting XCTO: nosniff for navigations.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1428473
Link to standard:
https://fetch.spec.whatwg.org/#x-content-type-options-header
Platform coverage: This will be exposed to all platforms.
Estimated or target release: Firefox 70
Is this feature enabled by default in sandboxed iframes? N/A
DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1571415
Do other browser engines implement this? Yes
Secure contexts: This feature isn’t restricted to Secure Contexts.
Bug implementing and enabling this feature:
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1469592
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1570658
CSS and JS resources. In Firefox 70 I intend to enable nosniff support for
page navigations by default.
If a server's response does not include any mime-type but sets the response
header "XCTO: nosniff" then Firefox will prompt the user to download the
file instead of trying to sniff the mime-type, eliminating the attack
vector of so called mime-confusion attacks.
Supporting XCTO: nosniff not only for JS and CSS but also for top-level
navigations will create parity with other browsers (Chrome, Safari) who are
already supporting XCTO: nosniff for navigations.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1428473
Link to standard:
https://fetch.spec.whatwg.org/#x-content-type-options-header
Platform coverage: This will be exposed to all platforms.
Estimated or target release: Firefox 70
Is this feature enabled by default in sandboxed iframes? N/A
DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1571415
Do other browser engines implement this? Yes
Secure contexts: This feature isn’t restricted to Secure Contexts.
Bug implementing and enabling this feature:
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1469592
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1570658
Daniel Veditz
Sep 5, 2019, 10:09:54 AM9/5/19
to Sebastian Streich, dev-platform
On Thu, Sep 5, 2019 at 6:21 AM Sebastian Streich <sstr...@mozilla.com>
wrote:
That bit of the standard doesn't describe this behavior--it still only
talks about scripts and style. Is there an issue or PR to update the spec
to describe this blocking?
Is this feature enabled by default in sandboxed iframes? N/A
>
Will we still try to sniff if you frame the victim resource instead of
navigating to it at the top level? Checking the code this does apply to
TYPE_SUBDOCUMENT and I don't see any "if sandboxed" checks , so I think
your answer here should be "Yes: it applies to sandboxed frames by default".
wrote:
That bit of the standard doesn't describe this behavior--it still only
talks about scripts and style. Is there an issue or PR to update the spec
to describe this blocking?
Is this feature enabled by default in sandboxed iframes? N/A
>
navigating to it at the top level? Checking the code this does apply to
TYPE_SUBDOCUMENT and I don't see any "if sandboxed" checks , so I think
your answer here should be "Yes: it applies to sandboxed frames by default".
Boris Zbarsky
Sep 5, 2019, 2:35:03 PM9/5/19
to
On 9/5/19 9:20 AM, Sebastian Streich wrote:
> In Firefox 70 I intend to enable nosniff support for
> page navigations by default.
We're still doing stream converters for navigations even if that header
> In Firefox 70 I intend to enable nosniff support for
> page navigations by default.
is sent. Is that intended? I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1579176 to track that.
> If a server's response does not include any mime-type but sets the response
> header "XCTO: nosniff" then Firefox will prompt the user to download the
> file
like this case will set the type to UNKNOWN_CONTENT_TYPE, then keep
trying to do stream conversion things with it 20 times in a row (or
whatever the "general.document_open_conversion_depth_limit" pref is set
to), and then kick it over to the helper app handler. After that what
happens depends on whether the user might have a helper app defined for
that type and so forth. If we actually mean to force a download, we
should probably be doing so explicitly.
-Boris
0 new messages