Load script files only with a Content-Type of application/javascript or application/json when CSP is enabled




DOM: Core & HTML
7 years ago
6 months ago


(Reporter: dynamis (Tomoya ASAI), Assigned: bsterne)


Firefox Tracking Flags

(Not tracked)




7 years ago
Expected Result:
Firefox should not load script file if it's Content-Type is not allowed by CSP spec.

Actual Result:
Current Firefox will load script file with any content-type.

What CSP spec says:
User-agents must execute all external scripts whose src attribute refers to a permitted source and which are served with a Content-Type of application/javascript or application/json.
Component: DOM: Core & HTML → Security
QA Contact: general → toolkit

Comment 2

7 years ago
I'll take this. dynamis, thanks for reporting, but I would encourage you to hold off on filing not-implemented-per-spec bugs just yet.  I only say this, as I've seen you CC yourself on a number of CSP implementation bugs and I want to save you the time.

The "spec" is still in flux and there are a number of known disparities between the Gecko implementation and what's in the "spec", which is still in Unofficial Draft status.  I do appreciate you filing this bug, though.

Incidentally, we may want to expand the list of allowed MIME types beyond the two listed here.
Assignee: nobody → bsterne
Component: Security → DOM: Core & HTML
QA Contact: toolkit → general
Blocks: 722547

Comment 3

6 years ago
Brandon - do you know why this was dropped from the CSP spec?
This requirement was taken out of the spec in Nov 2011

Hopefully we can get something like it back in because the current behavior is potentially dangerous (e.g. bug 722547).

Comment 5

6 months ago
I'm WONTFIXING this. You can get stricter MIME type checking by using X-Content-Type-Options. If you want that to be CSP controlled I recommend filing a specification issue first.
Last Resolved: 6 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.