Block scripts with text/csv, audio/*, video/* and image/* mime types #16126
Conversation
|
Heads up! This PR modifies the following files:
|
|
|
highfive
added
the
S-awaiting-review
|
r? @asajeffrey |
ferjm
force-pushed
the
issue-14520-block-media-csv
branch
from
a63e21c
to
2c3b985
Compare
components/net/fetch/methods.rs
Outdated
| @@ -616,6 +621,18 @@ fn should_block_nosniff(request: &Request, response: &Response) -> bool { | |||
| }; | |||
| } | |||
|
|
|||
| /// https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type? | |||
| fn should_block_mime_type(request: &Request, response: &Response) -> bool { | |||
There was a problem hiding this comment.
Nit: should_be_blocked_due_to_mime_type, given I recently named the other one should_be_blocked_due_to_bad_port.
components/net/fetch/methods.rs
Outdated
| fn should_block_mime_type(request: &Request, response: &Response) -> bool { | ||
| let mime_type = response.headers.get::<ContentType>(); | ||
| let csv: Mime = "text/csv".parse().unwrap(); | ||
| request.type_ == Type::Script && mime_type.is_some() && match *mime_type.unwrap() { |
There was a problem hiding this comment.
You can first unwrap mime_type and return early if it is None.
let mime_type = match response.headers.get::<ContentType>() {
Some(header) => header,
None => return false,
};
There was a problem hiding this comment.
I'd also improve this by not pre-allocating "text/csv".parse() at all and pattern-match directly against ContentType(Mime(TopLevel::Text, SubLevel::Csv, _)).
There was a problem hiding this comment.
SubLevel::Csv doesn't exist, and I already suggested a way to not parse the CSV mimetype below. :)
components/net/fetch/methods.rs
Outdated
| ContentType(Mime(TopLevel::Audio, _, _)) | | ||
| ContentType(Mime(TopLevel::Video, _, _)) | | ||
| ContentType(Mime(TopLevel::Image, _, _)) => true, | ||
| ContentType(ref m_type) => *m_type == csv |
There was a problem hiding this comment.
No need to allocate a Mime value for csv.
match *mime_type {
...
ContentType(Mime(TopLevel::Text, SubLevel::Ext(ref ext), _)) => ext == "csv",
_ => false,
}
nox
added
S-needs-code-changes
ferjm
force-pushed
the
issue-14520-block-media-csv
branch
from
2c3b985
to
e9915f3
Compare
highfive
added
S-awaiting-review
|
Thanks for the feedback @nox. Could you take another look, please? |
|
Squash the two commits together and this is ready to be merged. |
nox
added
S-needs-squash
ferjm
force-pushed
the
issue-14520-block-media-csv
branch
from
e9915f3
to
e91c177
Compare
highfive
added
the
S-awaiting-review
|
Thank you @nox. Rebased and squashed. |
|
@jdm Shouldn't |
nox
added
S-awaiting-answer
|
☔ The latest upstream changes (presumably #16160) made this pull request unmergeable. Please resolve the merge conflicts. |
ferjm
force-pushed
the
issue-14520-block-media-csv
branch
from
e91c177
to
d6dab7b
Compare
highfive
added
the
S-awaiting-review
|
Rebased and moved tests to |
|
☔ The latest upstream changes (presumably #16214) made this pull request unmergeable. Please resolve the merge conflicts. |
ferjm
force-pushed
the
issue-14520-block-media-csv
branch
from
d6dab7b
to
cf44fab
Compare
jdm
removed
the
S-awaiting-answer
|
Seems good to me. |
components/net/fetch/methods.rs
Outdated
| // Defer rebinding result | ||
| blocked_error_response = Response::network_error(NetworkError::Internal("Blocked by nosniff".into())); | ||
| blocked_error_response = Response::network_error( | ||
| NetworkError::Internal("Blocked by nosniff or mime type".into())); |
There was a problem hiding this comment.
Please instead do a else if block and separate the two blocking errors.
nox
added
S-needs-code-changes
ferjm
force-pushed
the
issue-14520-block-media-csv
branch
from
cf44fab
to
29a56c4
Compare
highfive
added
S-awaiting-review
|
Done. r? @nox |
|
@bors-servo r+ |
|
📌 Commit 29a56c4 has been approved by |
highfive
added
S-awaiting-merge
Block scripts with text/csv, audio/*, video/* and image/* mime types This patch implements step 12 of the Main Fetch section of the Fetch API standard. It blocks the load of scripts with `text/csv`, `audio/*`, `video/*` and `image/*` mime types. Credit for the logic of `should_block_mime_type` function should go to the author of #14770. - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14520 - [X] There are tests for these changes <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16126) <!-- Reviewable:end -->
|
☀️ Test successful - android, arm32, arm64, linux-dev, linux-rel-css, linux-rel-wpt, mac-dev-unit, mac-rel-css, mac-rel-wpt1, mac-rel-wpt2, windows-msvc-dev |
highfive
removed
the
S-awaiting-merge
Upstreamed from servo/servo#16126 [ci skip]
This patch implements step 12 of the Main Fetch section of the Fetch API standard. It blocks the load of scripts with
text/csv,audio/*,video/*andimage/*mime types.Credit for the logic of
should_block_mime_typefunction should go to the author of #14770../mach build -ddoes not report any errors./mach test-tidydoes not report any errorsThis change is