1966620 - Don't allow JSON MIME type for JS non-JSON module loads

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P3)

Description

[Tom Schuster (MoCo)]

Since bug 1858078 JSON modules (i.e. with {type: "json"}) load have their own nsContentPolicyType(s). This means the exception added for allowing loads of JS modules with a JSON MIME type in bug 1916351 is now incorrect. We should disallow normal JS modules with a JSON MIME type again and we should make sure JSON modules loads have a JSON MIME type.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1858078

:jon4t4n, since you are the author of the regressor, bug 1858078, could you take a look?

For more information, please visit BugBot documentation.

Comment 2

[Jonatan Klemets [:jon4t4n]]

Attachment: Bug 1966620 - Update EnsureMIMEOfScript and WarnWrongMIMEOfScript to handle TYPE_JSON r=evilpie,#necko-reviewers,#devtools-reviewers

This code broke when TYPE_JSON was added in bug 1858078 because it
lacked test coverage. This patch fixes the code and adds tests to make
sure we don't break it again.

Comment 3

[Pulsebot]

Pushed by jonatan.r.klemets@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/f54e29178c57
https://hg.mozilla.org/integration/autoland/rev/5748d8f98d18
Update EnsureMIMEOfScript and WarnWrongMIMEOfScript to handle TYPE_JSON r=necko-reviewers,devtools-reviewers,tschuster,nchevobbe,kershaw

Comment 4

[Pulsebot]

Pushed by smolnar@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/206140a3348c
https://hg.mozilla.org/integration/autoland/rev/3febe603af79
Revert "Bug 1966620 - Update EnsureMIMEOfScript and WarnWrongMIMEOfScript to handle TYPE_JSON r=necko-reviewers,devtools-reviewers,tschuster,nchevobbe,kershaw" for causing wpt perm failures @ /html/semantics/scripting-1/the-script-element/json-module/charset-bom.any.sharedworker.html

Comment 5

[Sandor Molnar[:smolnar]]

Backed out for causing wpt perm failures @ /html/semantics/scripting-1/the-script-element/json-module/charset-bom.any.sharedworker.html

Backout link: https://hg.mozilla.org/integration/autoland/rev/3febe603af79664101451a1613279b9377de08f4

Push with failures

Failure log -> TEST-UNEXPECTED-FAIL | /html/semantics/scripting-1/the-script-element/json-module/charset-bom.any.sharedworker.html

Comment 6

[Pulsebot]

Pushed by jonatan.r.klemets@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/f9986599ac33
https://hg.mozilla.org/integration/autoland/rev/9da423677f3f
Update EnsureMIMEOfScript and WarnWrongMIMEOfScript to handle TYPE_JSON r=necko-reviewers,devtools-reviewers,tschuster,nchevobbe,kershaw
https://github.com/mozilla-firefox/firefox/commit/695b5f9484ae
https://hg.mozilla.org/integration/autoland/rev/ede12d3619af
1977784: apply code formatting via Lando

Comment 7

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/9da423677f3f
https://hg.mozilla.org/mozilla-central/rev/ede12d3619af

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:jon4t4n, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
  • See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
• If no, please set status-firefox142 to wontfix.

For more information, please visit BugBot documentation.