Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upResolves #4183 - Implemementing context-based MIME type sniffing #7842
Conversation
highfive
commented
Oct 3, 2015
|
Thanks for the pull request, and welcome! The Servo team is excited to review your changes, and you should hear from @larsbergstrom (or someone else) soon. |
| // 1. If the supplied MIME type is undefined, [unspecified at the time of this implementation, so fallback to Browsing] | ||
| // 2. The computed MIME type is the supplied MIME type. | ||
| match *supplied_type { | ||
| None => self.classify(LoadContext::Browsing, no_sniff_flag, apache_bug_flag, supplied_type, data), |
This comment has been minimized.
This comment has been minimized.
eefriedman
Oct 3, 2015
Contributor
The actual algorithm should be something like this:
- If the supplied MIME type is undefined, the computed MIME type is "text/css".
- The computed MIME type is the supplied MIME type.
This comment has been minimized.
This comment has been minimized.
Yoric
Oct 4, 2015
Author
Contributor
Fine with me. I just wanted to make sure that I didn't accidentally add something incompatible.
| // 1. If the supplied MIME type is undefined, [unspecified at the time of this implementation, so fallback to Browsing] | ||
| // 2. The computed MIME type is the supplied MIME type. | ||
| match *supplied_type { | ||
| None => self.classify(LoadContext::Browsing, no_sniff_flag, apache_bug_flag, supplied_type, data), |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
In terms of testing this... we don't actually examine the mime type in non-browser contexts, so I'm pretty sure it's impossible to test without other changes. That said, it would probably be pretty easy to add some sensitivity. For example, if we only tried to render images which have a known mimetype, you could check that in an |
| // | ||
| // 4. The computed MIME type is the supplied MIME type. | ||
| match MIMEClassifier::maybe_get_media_type(supplied_type) { | ||
| Some(MediaType::Xml) | Some(MediaType::Html) => supplied_type.clone(), |
This comment has been minimized.
This comment has been minimized.
eefriedman
Oct 4, 2015
Contributor
"1. If the supplied MIME type is an XML type," doesn't mention HTML.
This comment has been minimized.
This comment has been minimized.
For testing purposes, perhaps only if sniffing is activated (which will be the default eventually). |
|
I have applied the change you suggested to the image cache, but I haven't been able to see any different behavior. I suspect that the actual culprit is actually my lack of mastery of Apache, though, as Rust and Firefox seem to have the exact same behavior. What's the next step? |
|
|
|
Rebased. @jdm, I'm waiting for your instructions. |
|
|
|
For testing, you could add a MIME type check to the font-loading code (with a server that returns no Content-Type), and look at the Reviewed 12 of 12 files at r1, 3 of 3 files at r2, 5 of 5 files at r3. components/net/http_loader.rs, line 141 [r1] (raw file): components/net/mime_classifier.rs, line 76 [r1] (raw file): components/net/mime_classifier.rs, line 79 [r1] (raw file): components/net/mime_classifier.rs, line 90 [r1] (raw file): components/net/mime_classifier.rs, line 109 [r1] (raw file): components/net/mime_classifier.rs, line 118 [r1] (raw file): components/net/mime_classifier.rs, line 228 [r1] (raw file): components/net_traits/lib.rs, line 137 [r2] (raw file): components/script/document_loader.rs, line 41 [r1] (raw file): Comments from the review on Reviewable.io |
|
Review status: all files reviewed at latest revision, 10 unresolved discussions, some commit checks failed. components/net/mime_classifier.rs, line 109 [r1] (raw file): Granted, this is known to be a tricky area; sniffing CSS can lead to cross-origin attacks. See http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx etc. If we wanted to be extremely conservative, we could sniff to text/plain if the MIME type is unspecified. components/net/mime_classifier.rs, line 118 [r1] (raw file): Comments from the review on Reviewable.io |
The version of the standard is not finalized at the time of this writing. Specifications may be found here: https://mimesniff.spec.whatwg.org/#context-specific-sniffing .
|
Rebased in #8190. |
Implemementing context-based MIME type sniffing This is a rebase of #7842 that also adds a test. @Yoric, how's this look to you? <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/8190) <!-- Reviewable:end -->
Implemementing context-based MIME type sniffing This is a rebase of #7842 that also adds a test. @Yoric, how's this look to you? <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/8190) <!-- Reviewable:end -->
Implemementing context-based MIME type sniffing This is a rebase of #7842 that also adds a test. Fixes #4183. @Yoric, how's this look to you? <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/8190) <!-- Reviewable:end -->
Implemementing context-based MIME type sniffing This is a rebase of #7842 that also adds a test. Fixes #4183. @Yoric, how's this look to you? <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/8190) <!-- Reviewable:end -->
Implemementing context-based MIME type sniffing This is a rebase of #7842 that also adds a test. Fixes #4183. @Yoric, how's this look to you? <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/8190) <!-- Reviewable:end -->
Yoric commentedOct 3, 2015
As mentioned in #4183, I'm not sure how to test this.