New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict opaque-safelisted requesters set more? #4
Comments
@anforowicz you might have thoughts on this as well. |
This seems like a nice-to-have:
|
Good point. So if we get a range request, I guess we want:
And if we handle range requests separately from normal requests, we can also return false for 206 responses to normal requests. (I guess we might still need to sniff for media in response to normal requests. I don't know if media elements only perform range requests or not.) |
This all sounds good to me, except one thing - I am not sure how "sniffing for media" would work for range requests for the middle of a file, because it seems that there is a risk that a JSON file or a PDF file might include a media-like-sniffing-signature somewhere inside. So, maybe we should restrict "sniffing for media" to the first bytes of a subresource (i.e. excluding responses carrying the middle of a resource)? |
As this is only needed for media, perhaps we should only allow a set contains check when the user agent does a range request that is not for the start of the file.
cc @jakearchibald
The text was updated successfully, but these errors were encountered: