Skip to content
Permalink
Browse files

Block `image/*` resources loaded as script

Fixes https://www.w3.org/Bugs/Public/show_bug.cgi?id=27852. Chrome
implemented this change in
https://bugs.chromium.org/p/chromium/issues/detail?id=433049, and has
been shipping it for over a year.

PR: #261
  • Loading branch information...
mikewest authored and annevk committed Mar 23, 2016
1 parent 00356dd commit b561a73f23b7139d5f4bb0de322dc37e74af0091
Showing with 73 additions and 25 deletions.
  1. +41 −16 Overview.html
  2. +32 −9 Overview.src.html
@@ -7,7 +7,7 @@

<p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
<h1 id="cors">Fetch</h1>
<h2 class="no-num no-toc" id="living-standard-—-last-updated-18-march-2016">Living Standard — Last Updated 18 March 2016</h2>
<h2 class="no-num no-toc" id="living-standard-—-last-updated-24-march-2016">Living Standard — Last Updated 24 March 2016</h2>

<dl>
<dt>Participate:
@@ -57,10 +57,12 @@ <h2 class="no-num no-toc" id="table-of-contents">Table of Contents</h2>
<li><a href="#fetch-groups"><span class="secno">3.3 </span>Fetch groups</a></li>
<li><a href="#connections"><span class="secno">3.4 </span>Connections</a></li>
<li><a href="#port-blocking"><span class="secno">3.5 </span>Port blocking</a></li>
<li><a href="#referrer-policies"><span class="secno">3.6 </span>Referrer policies</a></li>
<li><a href="#streams"><span class="secno">3.7 </span>Streams</a>
<li><a href="#should-response-to-request-be-blocked-due-to-mime-type?"><span class="secno">3.6 </span>Should
<var>response</var> to <var>request</var> be blocked due to its MIME type?</a></li>
<li><a href="#referrer-policies"><span class="secno">3.7 </span>Referrer policies</a></li>
<li><a href="#streams"><span class="secno">3.8 </span>Streams</a>
<ol>
<li><a href="#readablestream"><span class="secno">3.7.1 </span>ReadableStream</a></ol></ol></li>
<li><a href="#readablestream"><span class="secno">3.8.1 </span>ReadableStream</a></ol></ol></li>
<li><a href="#http-extensions"><span class="secno">4 </span>HTTP extensions</a>
<ol>
<li><a href="#origin-header"><span class="secno">4.1 </span>`<code title="">Origin</code>` header</a></li>
@@ -1397,7 +1399,26 @@ <h3 id="port-blocking"><span class="secno">3.5 </span>Port blocking</h3>
<!-- http://www-archive.mozilla.org/projects/netlib/PortBanning.html -->


<h3 id="referrer-policies"><span class="secno">3.6 </span>Referrer policies</h3>
<h3 id="should-response-to-request-be-blocked-due-to-mime-type?"><span class="secno">3.6 </span><dfn title="should response to request be blocked due to mime type">Should
<var>response</var> to <var>request</var> be blocked due to its MIME type?</dfn></h3>

<p>Run these steps:

<ol>
<li><p>Let <var>MIMEType</var> be the result of
<a href="#concept-header-extract-mime-type" title="concept-header-extract-mime-type">extracting a MIME type</a> from
<var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

<li><p>Let <var>type</var> be <var>request</var>'s <a href="#concept-request-type" title="concept-request-type">type</a>.

<li><p>If <var>type</var> is "<code title="">script</code>", and <var>MIMEType</var> starts with
`<code title="">image/</code>`, then return <b title="">blocked</b>.

<li><p>Return <b title="">allowed</b>.
</ol>


<h3 id="referrer-policies"><span class="secno">3.7 </span>Referrer policies</h3>

<p>A <dfn id="concept-referrer-policy" title="concept-referrer-policy">referrer policy</dfn> is the empty string,
"<code>no-referrer</code>", "<code>no-referrer-when-downgrade</code>",
@@ -1417,11 +1438,11 @@ <h3 id="referrer-policies"><span class="secno">3.6 </span>Referrer policies</h3>
<a href="#refsREFERRER">[REFERRER]</a>


<h3 id="streams"><span class="secno">3.7 </span>Streams</h3>
<h3 id="streams"><span class="secno">3.8 </span>Streams</h3>

<p class="note no-backref">This section might be integrated into other standards, such as IDL.

<h4 id="readablestream"><span class="secno">3.7.1 </span>ReadableStream</h4>
<h4 id="readablestream"><span class="secno">3.8.1 </span>ReadableStream</h4>

<p>A <dfn id="concept-readablestream" title="concept-ReadableStream">ReadableStream</dfn> object represents a
<a class="external" data-anolis-spec="streams" href="https://streams.spec.whatwg.org/#rs-class" title="readablestream">stream of data</a>. In this section, we
@@ -2107,15 +2128,19 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
<a href="#concept-network-error" title="concept-network-error">network error</a>, and <var>response</var>'s
<a href="#concept-internal-response" title="concept-internal-response">internal response</a> otherwise.

<li><p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
<a href="https://w3c.github.io/webappsec-mixed-content/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>,
<a href="https://w3c.github.io/webappsec-csp/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>,
or
<a href="#should-response-to-request-be-blocked-due-to-nosniff?" title="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</a>,
returns <b title="">blocked</b>, set <var>response</var> and <var>internalResponse</var> to a
<a href="#concept-network-error" title="concept-network-error">network error</a>.
<a href="#refsMIX">[MIX]</a>
<a href="#refsCSP">[CSP]</a>
<li>
<p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and any
of the following algorithms returns <b title="">blocked</b>, then set <var>response</var> and
<var>internalResponse</var> to a <a href="#concept-network-error" title="concept-network-error">network error</a>:

<ul class="brief">
<li><a href="https://w3c.github.io/webappsec-mixed-content/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>
<a href="#refsMIX">[MIX]</a>
<li><a href="https://w3c.github.io/webappsec-csp/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>
<a href="#refsCSP">[CSP]</a>
<li><a href="#should-response-to-request-be-blocked-due-to-mime-type?" title="should response to request be blocked due to mime type">should <var>internalResponse</var> to <var>request</var> be blocked due to its MIME type</a>
<li><a href="#should-response-to-request-be-blocked-due-to-nosniff?" title="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</a>
</ul>

<li>
<p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
@@ -1330,6 +1330,25 @@ <h3>Port blocking</h3>
<!-- http://www-archive.mozilla.org/projects/netlib/PortBanning.html -->


<h3 id="should-response-to-request-be-blocked-due-to-mime-type?"><dfn title="should response to request be blocked due to mime type">Should
<var>response</var> to <var>request</var> be blocked due to its MIME type?</dfn></h3>

<p>Run these steps:

<ol>
<li><p>Let <var>MIMEType</var> be the result of
<span title=concept-header-extract-mime-type>extracting a MIME type</span> from
<var>response</var>'s <span title=concept-response-header-list>header list</span>.

<li><p>Let <var>type</var> be <var>request</var>'s <span title=concept-request-type>type</span>.

<li><p>If <var>type</var> is "<code title>script</code>", and <var>MIMEType</var> starts with
`<code title>image/</code>`, then return <b title>blocked</b>.

<li><p>Return <b title>allowed</b>.
</ol>


<h3>Referrer policies</h3>

<p>A <dfn title=concept-referrer-policy>referrer policy</dfn> is the empty string,
@@ -2040,15 +2059,19 @@ <h3>Main fetch</h3>
<span title=concept-network-error>network error</span>, and <var>response</var>'s
<span title=concept-internal-response>internal response</span> otherwise.

<li><p>If <var>response</var> is not a <span title=concept-network-error>network error</span> and
<a href=https://w3c.github.io/webappsec-mixed-content/#should-block-response>should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>,
<a href=https://w3c.github.io/webappsec-csp/#should-block-response>should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>,
or
<span title="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</span>,
returns <b title>blocked</b>, set <var>response</var> and <var>internalResponse</var> to a
<span title=concept-network-error>network error</span>.
<span data-anolis-ref>MIX</span>
<span data-anolis-ref>CSP</span>
<li>
<p>If <var>response</var> is not a <span title=concept-network-error>network error</span> and any
of the following algorithms returns <b title>blocked</b>, then set <var>response</var> and
<var>internalResponse</var> to a <span title=concept-network-error>network error</span>:

<ul class="brief">
<li><a href=https://w3c.github.io/webappsec-mixed-content/#should-block-response>should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>
<span data-anolis-ref>MIX</span>
<li><a href=https://w3c.github.io/webappsec-csp/#should-block-response>should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>
<span data-anolis-ref>CSP</span>
<li><span title="should response to request be blocked due to mime type">should <var>internalResponse</var> to <var>request</var> be blocked due to its MIME type</span>
<li><span title="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</span>
</ul>

<li>
<p>If <var>response</var> is not a <span title=concept-network-error>network error</span> and

0 comments on commit b561a73

Please sign in to comment.
You can’t perform that action at this time.