1581512 - Align XTCO-Nosniff behaviour with Chrome

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement, P2)

Description

[Sebastian Streich [:sstreich]]

Currently we're super strict if Content-Type-Options: nosniff is set and disallow any type of sniffing. This means in case a Server has XTCO set and did not send a MIME we're currently leaking our internal Content-Type "application/x-unknown-content-type".
In MIME Sniffing Spec by Whatwg it seems the sniffing of non script-able resources is allowed, even if nosniff is active. Chrome currently sets text/plain or application/octet-stream for this cases, depending on the content.
We should also move to allow text/plain and octetstream here, to better intrerop with chrome.

Comment 1

[Sebastian Streich [:sstreich]]

Attachment: Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb

Comment 2

[Cristian Brindusan [:cbrindusan]]

:sstreich, can you please take a look at this since I've got the following error when landing:

"Reason:
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

applying /tmp/tmpQi9G8t
netwerk/base/nsNetUtil.cpp
Hunk #1 FAILED at 2726.
1 out of 1 hunk FAILED -- saving rejects to file netwerk/base/nsNetUtil.cpp.rej
abort: patch command failed: exited with status 256"

Comment 3

[Sebastian Streich [:sstreich]]

Hey, sorry about that :(
I rebased to central again. Should work now 🤞

Comment 4

[Cosmin Sabou [:CosminS]]

Sebastian, the rebase onto autoland still fails. The phabricator patch was not updated, it's still at B117797: Diff 167579.

Comment 5

[Sebastian Streich [:sstreich]]

rebased again and Pushed this time to phab 😅 - Sorry about this.

Comment 6

[Pulsebot]

Pushed by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/578c0ff0aac8
Use plain or octetStream as default mime for XTCO -r=ckerschb

Comment 7

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/578c0ff0aac8

Comment 8

[Sebastian Streich [:sstreich]]

Comment on attachment 9092996 [details]
Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb

Beta/Release Uplift Approval Request

• User impact if declined: If a user decides to enable Xtco on beta and visits a page with the headers:
  X-content-type-options: nosniff
  Content-Type: none
  He'll be presented with a Download Prompt; Chrome in that case shows the page in plaintext if possible.
  This patch is meant to close our webcompat issues here.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): We intend to uplift 1585055
  Which will disable Nosniff support by default.
  So unless a user takes action to test this feature this code wont be run in FF70.
• String changes made/needed:

Comment 9

[Julien Cristau [:jcristau]]

(In reply to Sebastian Streich [:sstreich] from comment #8)

Beta/Release Uplift Approval Request

• User impact if declined: If a user decides to enable Xtco on beta and visits a page with the headers:
  X-content-type-options: nosniff
  Content-Type: none
  He'll be presented with a Download Prompt; Chrome in that case shows the page in plaintext if possible.
  This patch is meant to close our webcompat issues here.

More to the point it seems the reason we're uplifting this is to avoid having to rebase the patch for bug 1585055. Bugs with a non-default configuration aren't generally grounds for uplifts, let alone this late in beta.

Comment 10

[Julien Cristau [:jcristau]]

Comment on attachment 9092996 [details]
Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb

dependency for bug 1585055, approved for 70.0b14

Comment 11

[Julien Cristau [:jcristau]]

https://hg.mozilla.org/releases/mozilla-beta/rev/27a820b8753a