Closed
Bug 1294411
Opened 8 years ago
Closed 8 years ago
Update XCTO: nosniff implementation to accept images which content type starts with 'image/'
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
1.93 KB,
patch
|
dveditz
:
review+
ritu
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The spec [1] slightly changed and images should be allowed to load if the content type starts with 'image/'. E.g. loading a png with type 'image/foo' should be allowed to load. [1] https://fetch.spec.whatwg.org/#x-content-type-options-header
|
Assignee | |
Updated•8 years ago
|
|
|
Assignee | |
Comment 1•8 years ago
|
||
Attachment #8780081 -
Flags: review?(dveditz)
|
||
Comment 2•8 years ago
|
||
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Review of attachment 8780081 [details] [diff] [review]: ----------------------------------------------------------------- This is fine. Apart from an extra console message the old code was effectively fine, too: either way we've already made the network load and are not displaying image/unknown. This does match the updated spec. r=dveditz
Attachment #8780081 -
Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/faa7e3750138 Update XCTO: nosniff implementation to accept images which content type starts with 'image/'. r=dveditz
|
|
Assignee | |
Comment 4•8 years ago
|
||
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Approval Request Comment The spec for XCTO: nosniff changed and we should not block images that start with a mime type of "image/". The original implementation blocks all image loads which MIME type Firefox does not support. [Feature/regressing bug #]: Bug 471020 - Add X-Content-Type-Options: nosniff support to Firefox [User impact if declined]: [Describe test coverage new/current, TreeHerder]: We have mochitests as well as web platform tests for the feature, they worked before the change and still work after this change. [Risks and why]: low, in fact this change makes XCTO: nosniff less aggressive and blocks less images. [String/UUID change made/needed]: no
Attachment #8780081 -
Flags: approval-mozilla-beta?
|
||
Comment 5•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/faa7e3750138
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
|
||
Comment 6•8 years ago
|
||
Does this affect 49? I notice bug 471020 landed for 50, so maybe you intended this for aurora (50) uplift.
|
|
Assignee | |
Comment 7•8 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > Does this affect 49? I notice bug 471020 landed for 50, so maybe you > intended this for aurora (50) uplift. Liz, yes this is intended to be uplifted to aurora (50) - thanks for checking!
Flags: needinfo?(ckerschb)
|
|
Assignee | |
Comment 8•8 years ago
|
||
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Please see comment 4 and also comment 7.
Attachment #8780081 -
Flags: approval-mozilla-beta? → approval-mozilla-aurora?
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Makes Firefox more spec compliant, stabilized on Nightly for a few days, Aurora50+
Attachment #8780081 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 10•8 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/a03522ef5152
You need to log in
before you can comment on or make changes to this bug.
Description
•