No longer render resources requested via FTP

Downloading resources over FTP is dangerous in itself, as FTP is a non-securable protocol. But rendering resources as text/html or similar is even more dangerous for a variety of reasons (explored to some extent in https://groups.google.com/a/chromium.org/d/msg/blink-dev/eopgOoY1QLs/e1tIefOxAAAJ). This patch forces FTP resources into an application/octet-stream MIME type, which should prevent them from rendering as HTML in user agents. Closes whatwg/html#4178.
whatwg · Dec 13, 2018 · c6b3a75 · c6b3a75
1 parent e263769
commit c6b3a75
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -3711,10 +3711,32 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:
   </ol>
 
  <dt>"<code>file</code>"
+ <dd>
+  <p>For now, unfortunate as it is, <code>file</code> <a for=/>URLs</a> are left as an exercise for
+  the reader.
+
+  <p>When in doubt, return a <a>network error</a>.
+
  <dt>"<code>ftp</code>"
  <dd>
-  <p>For now, unfortunate as it is, <code>file</code> and <code>ftp</code> <a for=/>URLs</a> are
-  left as an exercise for the reader.
+  <p>For now, unfortunate as it is, <code>ftp</code> <a for=/>URLs</a> are mostly left as an
+  exercise for the reader.
+
+  <ol>
+   <li><p>Let <var>body</var> be the result of the user agent obtaining content from
+   <var>request</var>'s <a for=request>current URL</a> from the network via FTP. [[!RFC959]]
+
+   <li><p>Let </var>mime</var> be `<code>application/octet-stream</code>`.
+
+   <li><p>If <var>body</var> is the result of the user agent generating a directory listing page for
+   the result of FTP's LIST command, then set |mime| to `<code>text/ftp-dir</code>`.
+
+   <li><p>Return a <a for=/>response</a> whose <a for="response">status message</a> is
+   `<code>OK</code>`, <a for=response>header list</a> consists of a single <a for=/>header</a>
+   whose <a for=header>name</a> is `<code>Content-Type</code>` and whose <a for=header>value</a> is
+   <var>mime</var>, <a for=response>body</a> is <var>body</var>, and
+   <a for=response>HTTPS state</a> is "<code>none</code>".
+  </ol>
 
   <p>When in doubt, return a <a>network error</a>.