-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block scripts with text/csv, audio/*, video/* and image/* mime types #16126
Conversation
Heads up! This PR modifies the following files:
|
r? @asajeffrey |
a63e21c
to
2c3b985
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some improvements can be made.
components/net/fetch/methods.rs
Outdated
@@ -616,6 +621,18 @@ fn should_block_nosniff(request: &Request, response: &Response) -> bool { | |||
}; | |||
} | |||
|
|||
/// https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type? | |||
fn should_block_mime_type(request: &Request, response: &Response) -> bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: should_be_blocked_due_to_mime_type
, given I recently named the other one should_be_blocked_due_to_bad_port
.
components/net/fetch/methods.rs
Outdated
fn should_block_mime_type(request: &Request, response: &Response) -> bool { | ||
let mime_type = response.headers.get::<ContentType>(); | ||
let csv: Mime = "text/csv".parse().unwrap(); | ||
request.type_ == Type::Script && mime_type.is_some() && match *mime_type.unwrap() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can first unwrap mime_type
and return early if it is None
.
let mime_type = match response.headers.get::<ContentType>() {
Some(header) => header,
None => return false,
};
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd also improve this by not pre-allocating "text/csv".parse()
at all and pattern-match directly against ContentType(Mime(TopLevel::Text, SubLevel::Csv, _))
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SubLevel::Csv
doesn't exist, and I already suggested a way to not parse the CSV mimetype below. :)
components/net/fetch/methods.rs
Outdated
ContentType(Mime(TopLevel::Audio, _, _)) | | ||
ContentType(Mime(TopLevel::Video, _, _)) | | ||
ContentType(Mime(TopLevel::Image, _, _)) => true, | ||
ContentType(ref m_type) => *m_type == csv |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to allocate a Mime
value for csv
.
match *mime_type {
...
ContentType(Mime(TopLevel::Text, SubLevel::Ext(ref ext), _)) => ext == "csv",
_ => false,
}
2c3b985
to
e9915f3
Compare
Thanks for the feedback @nox. Could you take another look, please? |
Squash the two commits together and this is ready to be merged. |
e9915f3
to
e91c177
Compare
Thank you @nox. Rebased and squashed. |
@jdm Shouldn't |
☔ The latest upstream changes (presumably #16160) made this pull request unmergeable. Please resolve the merge conflicts. |
e91c177
to
d6dab7b
Compare
Rebased and moved tests to |
☔ The latest upstream changes (presumably #16214) made this pull request unmergeable. Please resolve the merge conflicts. |
d6dab7b
to
cf44fab
Compare
Seems good to me. |
components/net/fetch/methods.rs
Outdated
// Defer rebinding result | ||
blocked_error_response = Response::network_error(NetworkError::Internal("Blocked by nosniff".into())); | ||
blocked_error_response = Response::network_error( | ||
NetworkError::Internal("Blocked by nosniff or mime type".into())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please instead do a else if
block and separate the two blocking errors.
cf44fab
to
29a56c4
Compare
Done. r? @nox |
@bors-servo r+ |
📌 Commit 29a56c4 has been approved by |
Block scripts with text/csv, audio/*, video/* and image/* mime types This patch implements step 12 of the Main Fetch section of the Fetch API standard. It blocks the load of scripts with `text/csv`, `audio/*`, `video/*` and `image/*` mime types. Credit for the logic of `should_block_mime_type` function should go to the author of #14770. - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14520 - [X] There are tests for these changes <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16126) <!-- Reviewable:end -->
☀️ Test successful - android, arm32, arm64, linux-dev, linux-rel-css, linux-rel-wpt, mac-dev-unit, mac-rel-css, mac-rel-wpt1, mac-rel-wpt2, windows-msvc-dev |
Upstreamed from servo/servo#16126 [ci skip]
This patch implements step 12 of the Main Fetch section of the Fetch API standard. It blocks the load of scripts with
text/csv
,audio/*
,video/*
andimage/*
mime types.Credit for the logic of
should_block_mime_type
function should go to the author of #14770../mach build -d
does not report any errors./mach test-tidy
does not report any errorsThis change is