1626158 - Obtaining a Web Manifest should reject if MIME type is not JSON

Status: NEW

(Core :: DOM: Core & HTML, defect, P2)

Description

[Marcos Caceres [:marcosc]]

When obtaining a Web Manifest, the spec now says we must reject if MIME type is not a JSON MIME type.

Comment 1

[Marcos Caceres [:marcosc]]

Attachment: Obtain manifests only using the JSON MIME type

The Web Manifest spec will now require that MIME Type be set and be a "JSON MIME Type".

Comment 2

[Marcos Caceres [:marcosc]]

try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=d16074638686a13066d8f7461b72aafaae8a6bd0&selectedJob=296376679

Comment 3

[[:fabrice] Fabrice Desré]

It needs to be noted that the spec may require it, but that's not decided yet (https://github.com/w3c/manifest/issues/821#issuecomment-609557743).

Previous experience at Mozilla around that was negative too, and I don't see any relevant data that can motivate this change.

Comment 4

[Marcos Caceres [:marcosc]]

Seems this needs to be done with XPIDL, which is not something I'm familiar with. I did some investigating and it seems XPIDL is not something documented in a usable way (i.e., it doesn't say how to bind to C++ files or how to get started or any functional examples), so it's not possible for me to proceed on this for now.

If someone else wants to take this over, please do. Otherwise, if someone knows XPIDL and wants to mentor me, I'd be happy to set aside some time.

The code to do this is all in Gecko, MIMEType.cpp has a parse() function that conforms to the WHATWG spec. However, without the XPIDL documentation, I won't have time to do it (from previous experience - one needs about 6-8 weeks to figure undocumented gecko stuff out).

Comment 5

[Marcos Caceres [:marcosc]]

Previous experience at Mozilla around that was negative too, and I don't see any relevant data that can motivate this change.

Please see Mike West's rationale on GitHub. I think it makes sense to not throw arbitrary/incorrectly labelled data at the JSON parser, as it reduces the attack surface. Of course, an attacker could just change the MIME type and still try to confuse the parser, but at least it cuts down on the attack surface a bit.