Resolves #4183 - Implemementing context-based MIME type sniffing

[Yoric]

As mentioned in #4183, I'm not sure how to test this.

[highfive]

Thanks for the pull request, and welcome! The Servo team is excited to review your changes, and you should hear from @larsbergstrom (or someone else) soon.

[eefriedman]

The actual algorithm should be something like this:

1. If the supplied MIME type is undefined, the computed MIME type is "text/css".
2. The computed MIME type is the supplied MIME type.

[Yoric]

Fine with me. I just wanted to make sure that I didn't accidentally add something incompatible.

[eefriedman]

Script should default to "application/javascript".

[Yoric]

What, no vbscript :) ?
I'll do that.

[eefriedman]

In terms of testing this... we don't actually examine the mime type in non-browser contexts, so I'm pretty sure it's impossible to test without other changes. That said, it would probably be pretty easy to add some sensitivity. For example, if we only tried to render images which have a known mimetype, you could check that in an <img> tag an image served as text/html application/mathml+xml doesn't get rendered, but an image served as application/octet-stream does.

[Yoric]

That said, it would probably be pretty easy to add some sensitivity. For example, if we only tried to render images which have a known mimetype, you could check that in an tag an image served as text/html doesn't get rendered, but an image served as application/octet-stream does.

Do you think we want this in Servo? Perhaps if sniffing is deactivated?

[eefriedman]

"1. If the supplied MIME type is an XML type," doesn't mention HTML.

[Yoric]

My bad, misread the definition of XML type.

[eefriedman]

Do you think we want this in Servo? Perhaps if sniffing is deactivated?

For testing purposes, perhaps only if sniffing is activated (which will be the default eventually).

[Yoric]

I have applied the change you suggested to the image cache, but I haven't been able to see any different behavior. I suspect that the actual culprit is actually my lack of mastery of Apache, though, as Rust and Firefox seem to have the exact same behavior.

What's the next step?

[bors-servo]

☔ The latest upstream changes (presumably #7882) made this pull request unmergeable. Please resolve the merge conflicts.

[Yoric]

Rebased. @jdm, I'm waiting for your instructions.

[bors-servo]

☔ The latest upstream changes (presumably #7967) made this pull request unmergeable. Please resolve the merge conflicts.

[jdm]

For testing, you could add a MIME type check to the font-loading code (with a server that returns no Content-Type), and look at the Content-Type response header for an XHR to the same font.
-S-awaiting-review +S-needs-code-changes

---

Reviewed 12 of 12 files at r1, 3 of 3 files at r2, 5 of 5 files at r3.
Review status: all files reviewed at latest revision, 10 unresolved discussions, some commit checks failed.

---

^{components/net/http_loader.rs, line 141 [r1] (raw file):}
The should be the same context as the original load.

---

^{components/net/mime_classifier.rs, line 76 [r1] (raw file):}
It's generally preferred to have comments like // Step 1 rather than quoting the full spec text.

---

^{components/net/mime_classifier.rs, line 79 [r1] (raw file):}
nit: . should be on the next line

---

^{components/net/mime_classifier.rs, line 90 [r1] (raw file):}
Remove the HTML here.

---

^{components/net/mime_classifier.rs, line 109 [r1] (raw file):}
@elifriedman Do you have sources to back this up? MIME sniffing is really hairy; I'd rather stick to implementing the precise spec text to start (i.e. don't take any action here)

---

^{components/net/mime_classifier.rs, line 118 [r1] (raw file):}
This does not sound like a good idea to me; script sniffing-related errors are some of the most easily exploited. I'd rather take no action at all until the spec is clarified.

---

^{components/net/mime_classifier.rs, line 228 [r1] (raw file):}
supplied_type.map(|(ref media_type, ref media_subtype)| {
MIMEClassifier::get_media_type(media_type, media_subtype)
})

---

^{components/net_traits/lib.rs, line 137 [r2] (raw file):}
Let's use /// so it shows up in the docs.

---

^{components/script/document_loader.rs, line 41 [r1] (raw file):}
nit: | on the previous line, please.

---

Comments from the review on Reviewable.io

[eefriedman]

Review status: all files reviewed at latest revision, 10 unresolved discussions, some commit checks failed.

---

^{components/net/mime_classifier.rs, line 109 [r1] (raw file):}
Firefox also picks text/css for an unspecified MIME type; see http://mxr.mozilla.org/mozilla-central/source/layout/style/Loader.cpp#925 .

Granted, this is known to be a tricky area; sniffing CSS can lead to cross-origin attacks. See http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx etc.

If we wanted to be extremely conservative, we could sniff to text/plain if the MIME type is unspecified.

---

^{components/net/mime_classifier.rs, line 118 [r1] (raw file):}
Err, I'm not sure exactly what you think the risk is here? Firefox doesn't check the MIME type of JavaScript at all.

---

Comments from the review on Reviewable.io

[jdm]

Rebased in #8190.