Load script files only with a Content-Type of application/javascript or application/json when CSP is enabled

RESOLVED WONTFIX

Status

()

Core
DOM: Core & HTML
RESOLVED WONTFIX
7 years ago
6 months ago

People

(Reporter: dynamis (Tomoya ASAI), Assigned: bsterne)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
Expected Result:
Firefox should not load script file if it's Content-Type is not allowed by CSP spec.

Actual Result:
Current Firefox will load script file with any content-type.

What CSP spec says:
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-execution-restrictions
User-agents must execute all external scripts whose src attribute refers to a permitted source and which are served with a Content-Type of application/javascript or application/json.
bsterne?
Component: DOM: Core & HTML → Security
QA Contact: general → toolkit
(Assignee)

Comment 2

7 years ago
I'll take this. dynamis, thanks for reporting, but I would encourage you to hold off on filing not-implemented-per-spec bugs just yet.  I only say this, as I've seen you CC yourself on a number of CSP implementation bugs and I want to save you the time.

The "spec" is still in flux and there are a number of known disparities between the Gecko implementation and what's in the "spec", which is still in Unofficial Draft status.  I do appreciate you filing this bug, though.

Incidentally, we may want to expand the list of allowed MIME types beyond the two listed here.
Assignee: nobody → bsterne
Component: Security → DOM: Core & HTML
QA Contact: toolkit → general
Blocks: 722547

Comment 3

6 years ago
Brandon - do you know why this was dropped from the CSP spec?
This requirement was taken out of the spec in Nov 2011
https://dvcs.w3.org/hg/content-security-policy/rev/76f67cf1e5ad

Hopefully we can get something like it back in because the current behavior is potentially dangerous (e.g. bug 722547).

Comment 5

6 months ago
I'm WONTFIXING this. You can get stricter MIME type checking by using X-Content-Type-Options. If you want that to be CSP controlled I recommend filing a specification issue first.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.