662227 - Load script files only with a Content-Type of application/javascript or application/json when CSP is enabled

Status: RESOLVED WONTFIX

(Core :: DOM: Core & HTML, defect)

Description

[dynamis (Tomoya ASAI)]

Expected Result:
Firefox should not load script file if it's Content-Type is not allowed by CSP spec.

Actual Result:
Current Firefox will load script file with any content-type.

What CSP spec says:
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-execution-restrictions
User-agents must execute all external scripts whose src attribute refers to a permitted source and which are served with a Content-Type of application/javascript or application/json.

Comment 1

[Boris Zbarsky [:bzbarsky]]

bsterne?

Comment 2

[Brandon Sterne (:bsterne)]

I'll take this. dynamis, thanks for reporting, but I would encourage you to hold off on filing not-implemented-per-spec bugs just yet.  I only say this, as I've seen you CC yourself on a number of CSP implementation bugs and I want to save you the time.

The "spec" is still in flux and there are a number of known disparities between the Gecko implementation and what's in the "spec", which is still in Unofficial Draft status.  I do appreciate you filing this bug, though.

Incidentally, we may want to expand the list of allowed MIME types beyond the two listed here.

Comment 3

[Tanvi Vyas[:tanvi]]

Brandon - do you know why this was dropped from the CSP spec?

Comment 4

[Daniel Veditz [:dveditz]]

This requirement was taken out of the spec in Nov 2011
https://dvcs.w3.org/hg/content-security-policy/rev/76f67cf1e5ad

Hopefully we can get something like it back in because the current behavior is potentially dangerous (e.g. bug 722547).

Comment 5

[Anne (:annevk)]

I'm WONTFIXING this. You can get stricter MIME type checking by using X-Content-Type-Options. If you want that to be CSP controlled I recommend filing a specification issue first.