New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nosniff and images #395

Closed
annevk opened this Issue Oct 3, 2016 · 9 comments

Comments

4 participants
@annevk
Copy link
Member

annevk commented Oct 3, 2016

Firefox ran into problems supporting nosniff for images (Chrome doesn't support it there). @ckerschb is going to figure out if we can enable it at some future point: https://bugzilla.mozilla.org/show_bug.cgi?id=1302539. If that doesn't work out, we'll have to change the specification.

@annevk

This comment has been minimized.

Copy link
Member

annevk commented Nov 23, 2016

@ckerschb what do you think, is it worth it to try and enable this at some point or should we just give up on having nosniff for that?

@mikewest thoughts?

The specification also has it for fonts, media, and media track resources. I'm guessing we want to give up on those too and only handle style and script resources?

@zcorpan are media track resources still safe (like images are)?

@zcorpan

This comment has been minimized.

Copy link
Member

zcorpan commented Nov 23, 2016

Yes. At least if only WebVTT is supported. TTML2 supports external resources apparently though I have pointed out that that is a problem.

@annevk

This comment has been minimized.

Copy link
Member

annevk commented Nov 23, 2016

Okay, I hope no user agents plans on implementing that.

Given that I'd be okay with restricting nosniff to just style and script forever.

@mikewest

This comment has been minimized.

Copy link
Member

mikewest commented Nov 23, 2016

In an ideal world, supporting nosniff everywhere makes sense. Realistically, script and style are the important ones, and it's not clear to me that it's worth prioritizing work on things like nosniff support for images.

Perhaps Mozilla folks who supported the change could give a bit of detail about the relative priority? If I'm wrong, then we can make time.

annevk added a commit that referenced this issue Dec 16, 2016

Only use nosniff for "script" and "style"
For “image” it was not web-compatible and checking the others doesn’t
seem worth it given there are no known issues with sniffing there.

Closes #395.
@annevk

This comment has been minimized.

Copy link
Member

annevk commented Dec 16, 2016

Created a PR to apply it to "script" and "style" only.

annevk added a commit to web-platform-tests/wpt that referenced this issue Dec 16, 2016

@annevk

This comment has been minimized.

Copy link
Member

annevk commented Dec 16, 2016

Also created a WPT PR.

@annevk

This comment has been minimized.

Copy link
Member

annevk commented Dec 16, 2016

(Seems Chrome still fails several nosniff tests around workers and such.)

annevk added a commit to web-platform-tests/wpt that referenced this issue Dec 19, 2016

@annevk annevk closed this in #438 Dec 19, 2016

annevk added a commit that referenced this issue Dec 19, 2016

Only use nosniff for "script" and "style"
For “image” it was not web-compatible and checking the others doesn’t
seem worth it given there are no known issues with sniffing there.

Tests: web-platform-tests/wpt#4356.

Closes #395.
@annevk

This comment has been minimized.

Copy link
Member

annevk commented Dec 19, 2016

The Gecko bugs that get resolved through this change are: https://bugzilla.mozilla.org/show_bug.cgi?id=1289055, https://bugzilla.mozilla.org/show_bug.cgi?id=1289056, and https://bugzilla.mozilla.org/show_bug.cgi?id=1289057. Haven't closed them myself since @ckerschb might have to do some cleanup.

alrra added a commit to webhintio/hint that referenced this issue Jan 23, 2018

Breaking: Limit `X-Content-Type-Options` usage
Change `x-content-type-options` rule so that it limits the usage
of the `X-Content-Type-Options` header to scripts and stylesheets
as modern browsers actually only respect the header for those
types of resources¹.

Also, sending the header for resources such as images, creates
problems² in some older browsers.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

¹ https://fetch.spec.whatwg.org/#x-content-type-options-header
² whatwg/fetch#395

Fix #767
Close #772
@rugk

This comment has been minimized.

Copy link

rugk commented Dec 11, 2018

Realistically, script and style are the important ones, and it's not clear to me that it's worth prioritizing work on things like nosniff support for images.

😱 You realize you introduced a security risk here?

Actually also "HTML" can be a malicious mime type, as it can obviously embed JS. (Maybe also other types such as SVG?)

See https://www.youtube.com/watch?v=dBJt3eR8-bg for a talk by @hannob on that subject. Please do watch the whole talk, it's good! 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment