Closed Bug 1581512 Opened 3 months ago Closed 3 months ago

Align XTCO-Nosniff behaviour with Chrome

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla71
Webcompat Priority P1
Tracking Status
firefox70 --- fixed
firefox71 --- fixed

People

(Reporter: sstreich, Assigned: sstreich)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Currently we're super strict if Content-Type-Options: nosniff is set and disallow any type of sniffing. This means in case a Server has XTCO set and did not send a MIME we're currently leaking our internal Content-Type "application/x-unknown-content-type".
In MIME Sniffing Spec by Whatwg it seems the sniffing of non script-able resources is allowed, even if nosniff is active. Chrome currently sets text/plain or application/octet-stream for this cases, depending on the content.
We should also move to allow text/plain and octetstream here, to better intrerop with chrome.

Assignee: nobody → sstreich
Status: NEW → ASSIGNED
Webcompat Priority: --- → P1
Attachment #9092996 - Attachment description: Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb → Bug 1581512 - Use plain or octetStream as default mime for XTCO r=ckerschb
Priority: -- → P2
Whiteboard: [domsecurity-active]
Attachment #9092996 - Attachment description: Bug 1581512 - Use plain or octetStream as default mime for XTCO r=ckerschb → Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb
Keywords: checkin-needed

:sstreich, can you please take a look at this since I've got the following error when landing:

"Reason:
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

applying /tmp/tmpQi9G8t
netwerk/base/nsNetUtil.cpp
Hunk #1 FAILED at 2726.
1 out of 1 hunk FAILED -- saving rejects to file netwerk/base/nsNetUtil.cpp.rej
abort: patch command failed: exited with status 256"

Flags: needinfo?(sstreich)
Keywords: checkin-needed

Hey, sorry about that :(
I rebased to central again. Should work now 🤞

Flags: needinfo?(sstreich)
Keywords: checkin-needed

Sebastian, the rebase onto autoland still fails. The phabricator patch was not updated, it's still at B117797: Diff 167579.

Flags: needinfo?(sstreich)
Keywords: checkin-needed

rebased again and Pushed this time to phab 😅 - Sorry about this.

Flags: needinfo?(sstreich)
Keywords: checkin-needed

Pushed by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/578c0ff0aac8
Use plain or octetStream as default mime for XTCO -r=ckerschb

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

Comment on attachment 9092996 [details]
Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb

Beta/Release Uplift Approval Request

  • User impact if declined: If a user decides to enable Xtco on beta and visits a page with the headers:
    X-content-type-options: nosniff
    Content-Type: none
    He'll be presented with a Download Prompt; Chrome in that case shows the page in plaintext if possible.
    This patch is meant to close our webcompat issues here.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We intend to uplift 1585055
    Which will disable Nosniff support by default.
    So unless a user takes action to test this feature this code wont be run in FF70.
  • String changes made/needed:
Attachment #9092996 - Flags: approval-mozilla-beta?

(In reply to Sebastian Streich [:sstreich] from comment #8)

Beta/Release Uplift Approval Request

  • User impact if declined: If a user decides to enable Xtco on beta and visits a page with the headers:
    X-content-type-options: nosniff
    Content-Type: none
    He'll be presented with a Download Prompt; Chrome in that case shows the page in plaintext if possible.
    This patch is meant to close our webcompat issues here.

More to the point it seems the reason we're uplifting this is to avoid having to rebase the patch for bug 1585055. Bugs with a non-default configuration aren't generally grounds for uplifts, let alone this late in beta.

Comment on attachment 9092996 [details]
Bug 1581512 - Use plain or octetStream as default mime for XTCO -r=ckerschb

dependency for bug 1585055, approved for 70.0b14

Attachment #9092996 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.