Closed Bug 1294411 Opened 8 years ago Closed 8 years ago

Update XCTO: nosniff implementation to accept images which content type starts with 'image/'

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox49 --- ?
firefox50 --- fixed
firefox51 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

bug_1294411_xcto_should_allow_images_with_type_image.patch
1.93 KB, patch
dveditz
: review+
ritu
: approval-mozilla-aurora+
Details | Diff | Splinter Review
The spec [1] slightly changed and images should be allowed to load if the content type starts with 'image/'. E.g. loading a png with type 'image/foo' should be allowed to load. [1] https://fetch.spec.whatwg.org/#x-content-type-options-header
Assignee: nobody → ckerschb
Blocks: 471020
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-active]
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Review of attachment 8780081 [details] [diff] [review]: ----------------------------------------------------------------- This is fine. Apart from an extra console message the old code was effectively fine, too: either way we've already made the network load and are not displaying image/unknown. This does match the updated spec. r=dveditz
Attachment #8780081 - Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/faa7e3750138 Update XCTO: nosniff implementation to accept images which content type starts with 'image/'. r=dveditz
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Approval Request Comment The spec for XCTO: nosniff changed and we should not block images that start with a mime type of "image/". The original implementation blocks all image loads which MIME type Firefox does not support. [Feature/regressing bug #]: Bug 471020 - Add X-Content-Type-Options: nosniff support to Firefox [User impact if declined]: [Describe test coverage new/current, TreeHerder]: We have mochitests as well as web platform tests for the feature, they worked before the change and still work after this change. [Risks and why]: low, in fact this change makes XCTO: nosniff less aggressive and blocks less images. [String/UUID change made/needed]: no
Attachment #8780081 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/faa7e3750138
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Does this affect 49? I notice bug 471020 landed for 50, so maybe you intended this for aurora (50) uplift.
status-firefox49: --- → ?
status-firefox50: --- → affected
Flags: needinfo?(ckerschb)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > Does this affect 49? I notice bug 471020 landed for 50, so maybe you > intended this for aurora (50) uplift. Liz, yes this is intended to be uplifted to aurora (50) - thanks for checking!
Flags: needinfo?(ckerschb)
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Please see comment 4 and also comment 7.
Attachment #8780081 - Flags: approval-mozilla-beta? → approval-mozilla-aurora?
Comment on attachment 8780081 [details] [diff] [review] bug_1294411_xcto_should_allow_images_with_type_image.patch Makes Firefox more spec compliant, stabilized on Nightly for a few days, Aurora50+
Attachment #8780081 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: