NoSniff breaks JSON Viewer for content types other than application/json and application/manifest+json
Categories
(DevTools :: JSON Viewer, defect, P1)
Tracking
(firefox-esr60 unaffected, firefox-esr68 unaffected, firefox67 unaffected, firefox68 unaffected, firefox69 unaffected, firefox70+ disabled, firefox71 fixed)
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | unaffected |
| firefox70 | + | disabled |
| firefox71 | --- | fixed |
People
(Reporter: Oriol, Assigned: sstreich)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
The JSON Viewer loads when the content type is application/json or any application/*+json.
However, bug 1578991 only handled application/json, application/manifest+json and text/json.
Therefore, with NoSniff, the JSON viewer doesn't load for content types like application/vnd.api+json, application/hal+json or application/ld+json.
Testcase: run this file in a server with php:
<?php
header("Content-Type: application/vnd.api+json");
header("x-content-type-options: nosniff");
echo '[1,2,3]';
?>
Expected: the JSON Viewer displays the contents.
Actual: Firefox offers to download the file.
|
Assignee | |
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
Thanks for the report!
Looks like we need to fix the following line?
https://searchfox.org/mozilla-central/rev/f43ae7e1c43a4a940b658381157a6ea6c5a185c1/devtools/client/jsonview/converter-observer.js#94
Honza
|
Reporter | |
Comment 2•6 years ago
|
||
(In reply to Jan Honza Odvarko [:Honza] (always need-info? me) from comment #1)
Looks like we need to fix the following line?
https://searchfox.org/mozilla-central/rev/f43ae7e1c43a4a940b658381157a6ea6c5a185c1/devtools/client/jsonview/converter-observer.js#94
That line is fine, what should be fixed is
https://searchfox.org/mozilla-central/rev/f43ae7e1c43a4a940b658381157a6ea6c5a185c1/netwerk/base/nsNetUtil.cpp#2732-2734
|
|
||
Comment 3•6 years ago
|
||
@Oriol, thanks for clarification!
Honza
|
|
Assignee | |
Comment 4•6 years ago
|
||
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/04f75de35ca7
Call Sniffers for application/* mime Types r=ckerschb
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
|
||
Updated•6 years ago
|
|
||
Comment 7•6 years ago
•
|
||
We don't need this in 70 now, right? I think this was just disabled in bug 1585055 (?)
|
|
||
Comment 8•6 years ago
|
||
I'll just leave this affected for now and track it till I hear back.
|
||
Comment 9•6 years ago
|
||
Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information
|
|
Assignee | |
Comment 10•6 years ago
|
||
Hey! Yes once bug 1585055 is uplifted, ff70 is unaffected of this.
|
|
||
Updated•6 years ago
|
|
|
||
Updated•4 years ago
|
Description
•