-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a security consideration about content sniffing. #348
Conversation
This is to mitigate the content-sniffing risk outlined in WICG/webpackage#348.
This is to mitigate the content-sniffing risk outlined in WICG/webpackage#348.
308e7be
to
a70242c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
still lg
bda9041
to
052993b
Compare
I need some help understanding the model. Is the idea that Or is the idea that the responses they encompass (i.e., those in the bundle/archive) cannot be sniffed? If so, we could "dynamically inject" this header when we create those responses ensuring "determine nosniff" always returns true for them downstream. |
@annevk One of the bigger risks is that they might be sniffed as PDFs, Flash, or other plugin-recognized types. The risky file types don't necessarily follow the Fetch spec, so the header isn't guaranteed to work, but we thought it'd improve our chances. @mikewest may have other answers. He suggested requiring nosniff here. We also want to make internal responses automatically nosniff, but that'll come in a separate change. |
Ah plugins, that is indeed a poorly specified area. Note that currently we don't have any language that suggests nosniff would work for plugins. |
Yep. I don't personally have evidence that this improves things for any particular plugin; we're just hoping. I don't have strong feelings about whether this is the right thing to do. |
I think we need to know concretely what this will help with so it can be tested for (and specified if it isn't already). In particular as we'd have to do this for other new formats too, presumably (e.g., Wasm)? (I see the benefits for the contained non-HTTP responses, but as you said that's separate.) |
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7
In general, I'd like for us to be strict about new mechanisms we're adding to the platform that might result in executable code. I don't have any concrete examples of places where plugins could misinterpret an SXG response as something unfortunate, but there are a number of examples of plugins' propensity to zealously sniff incoming content into executable code. I'd like to make that less likely. That said, when I was talking with @jyasskin about this a few days ago, I incorrectly assumed that
As above, I'd like for us to strictly enforce MIME type checks for resources contained in SXG responses. Implicitly injecting a nosniff requirement seems like it would indeed be simpler for developers, so I'd be on board with that kind of mechanism. It seems like requiring developers to include the header has a higher chance of increasing usage even in browsers that don't support SXG (as presumably developers would inject the header themselves on both the SXG-encoded resource, and the plain ol' resource), but that might be asking too much. |
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780}
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780}
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780}
To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780}
052993b
to
71a9b8b
Compare
I'm going to revert the discussion of |
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouheichromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamotochromium.org> Reviewed-by: Kinuko Yasuda <kinukochromium.org> Cr-Commit-Position: refs/heads/master{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522 UltraBlame original commit: 8e0c10dc58255a9a29577813535a805fcf1999c0
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouheichromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamotochromium.org> Reviewed-by: Kinuko Yasuda <kinukochromium.org> Cr-Commit-Position: refs/heads/master{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522 UltraBlame original commit: 768b0b422609bacdc7b00036185329a90b2fdaba
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouheichromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamotochromium.org> Reviewed-by: Kinuko Yasuda <kinukochromium.org> Cr-Commit-Position: refs/heads/master{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522 UltraBlame original commit: 8e0c10dc58255a9a29577813535a805fcf1999c0
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouheichromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamotochromium.org> Reviewed-by: Kinuko Yasuda <kinukochromium.org> Cr-Commit-Position: refs/heads/master{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522 UltraBlame original commit: 768b0b422609bacdc7b00036185329a90b2fdaba
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouheichromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamotochromium.org> Reviewed-by: Kinuko Yasuda <kinukochromium.org> Cr-Commit-Position: refs/heads/master{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522 UltraBlame original commit: 8e0c10dc58255a9a29577813535a805fcf1999c0
… response headers, a=testonly Automatic update from web-platform-tests SignedExchange: Require nosniff in outer response headers To encourage servers to include the nosniff header, this CL makes Chromium reject SXG served without the "X-Content-Type-Options: nosniff" header. Bug: WICG/webpackage#348, 916362 Change-Id: I5343a8d13a42a3c9144f05d871777d35a20a77b7 Reviewed-on: https://chromium-review.googlesource.com/c/1373430 Commit-Queue: Kouhei Ueno <kouheichromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamotochromium.org> Reviewed-by: Kinuko Yasuda <kinukochromium.org> Cr-Commit-Position: refs/heads/master{#617780} -- wpt-commits: 675ade14e7e8db49c13da4d4a8684568cedb10d7 wpt-pr: 14522 UltraBlame original commit: 768b0b422609bacdc7b00036185329a90b2fdaba
This fixes #321, I think. @molnarg, how do you feel about this?
I'll need to add this to bundles too, but I want to get the SXG text right first.
Preview | Diff