Align XTCO-Nosniff behaviour with Chrome
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
People
(Reporter: sstreich, Assigned: sstreich)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
Currently we're super strict if Content-Type-Options: nosniff is set and disallow any type of sniffing. This means in case a Server has XTCO set and did not send a MIME we're currently leaking our internal Content-Type "application/x-unknown-content-type".
In MIME Sniffing Spec by Whatwg it seems the sniffing of non script-able resources is allowed, even if nosniff is active. Chrome currently sets text/plain or application/octet-stream for this cases, depending on the content.
We should also move to allow text/plain and octetstream here, to better intrerop with chrome.
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 1•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
:sstreich, can you please take a look at this since I've got the following error when landing:
"Reason:
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.
applying /tmp/tmpQi9G8t
netwerk/base/nsNetUtil.cpp
Hunk #1 FAILED at 2726.
1 out of 1 hunk FAILED -- saving rejects to file netwerk/base/nsNetUtil.cpp.rej
abort: patch command failed: exited with status 256"
|
|
Assignee | |
Comment 3•1 year ago
|
||
Hey, sorry about that :(
I rebased to central again. Should work now 🤞
|
||
Comment 4•1 year ago
|
||
Sebastian, the rebase onto autoland still fails. The phabricator patch was not updated, it's still at B117797: Diff 167579.
|
|
Assignee | |
Comment 5•1 year ago
|
||
rebased again and Pushed this time to phab 😅 - Sorry about this.
Pushed by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/578c0ff0aac8
Use plain or octetStream as default mime for XTCO -r=ckerschb
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 8•1 year ago
|
||
Comment on attachment 9092996 [details]
Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb
Beta/Release Uplift Approval Request
- User impact if declined: If a user decides to enable Xtco on beta and visits a page with the headers:
X-content-type-options: nosniff
Content-Type: none
He'll be presented with a Download Prompt; Chrome in that case shows the page in plaintext if possible.
This patch is meant to close our webcompat issues here. - Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We intend to uplift 1585055
Which will disable Nosniff support by default.
So unless a user takes action to test this feature this code wont be run in FF70. - String changes made/needed:
|
||
Comment 9•1 year ago
|
||
(In reply to Sebastian Streich [:sstreich] from comment #8)
Beta/Release Uplift Approval Request
- User impact if declined: If a user decides to enable Xtco on beta and visits a page with the headers:
X-content-type-options: nosniff
Content-Type: none
He'll be presented with a Download Prompt; Chrome in that case shows the page in plaintext if possible.
This patch is meant to close our webcompat issues here.
More to the point it seems the reason we're uplifting this is to avoid having to rebase the patch for bug 1585055. Bugs with a non-default configuration aren't generally grounds for uplifts, let alone this late in beta.
|
|
||
Comment 10•1 year ago
|
||
Comment on attachment 9092996 [details]
Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb
dependency for bug 1585055, approved for 70.0b14
|
|
||
Comment 11•1 year ago
|
||
| bugherderuplift | ||
Description
•