-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nosniffing for Worker Scripts #3255
Comments
I do think this is a good idea. The numbers we have in Beta right now look pretty reasonable for the narrow case you've outlined (workers themselves, and scripts they import), and it would be nice to unify the requirements for workers and module scripts. For the broader case of I'd be interested in opinions from other folks in @whatwg/security. Is this kind of restriction something other vendors would also be interested in experimenting with? |
Mozilla is. We've been looking into this as well; @evilpie primarily (added the |
It would be interesting to find out if Mozilla's users are seeing similar ranges of scripts to Chrome's users. @evilpie, do y'all have any metrics in place for script content types? |
I am always excited about restricting those MIME types further. |
It's interesting that the HTTP Archive data look quite different from @otherdaniel's telemetry data. Probably a matter of what happens when you weight by load frequency? How does Chrome's telemetry handle empty Content-Type headers? |
I expect that frequency weighting will give radically different results than number of resources requested, yes. The data @otherdaniel pointed to is also from beta, not stable, which will certainly shift things a bit (though usually the same order of magnitude).
Looks like the data doesn't include empty I dug into this a bit earlier in the week, pulling a list of sites that triggered the metrics we have in stable from HTTP Archive, and loading ~7k of them from my workstation overnight (raw data in a Google Sheets doc) with a build that dumps a bit more detail about the requests. This also doesn't give us frequency-weighted data, but it's at least somewhere to start. Some highlights: Types(Random data in the "Analysis" tab of the sheet)
Hosts(Data in the "Hosts per Type" tab of the sheet)
|
Also, their HTML version is broken, so.... I'm not terribly worried about breaking it. :) ) ???? |
I did a bit more research this morning via HTTP Archive: https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/jCHygAPuCQAJ The high-level conclusion there is that Facebook and VK have ~widely used endpoints that serve JSONP as |
(And that not much else looks like it would break in a way visible to users) |
This addresses a portion of the proposal in #3255. Tentative tests have landed in [1]. [1]: https://github.com/web-platform-tests/wpt/blob/master/workers/importscripts_mime.tentative.any.js
This addresses a portion of the proposal in #3255.
@mikewest Have you talked to any of those JSONP providers about changing their Content-Type to JavaScript? |
@evilpie: Facebook fixed their endpoint, VK never responded. |
@mikewest It seems like |
This addresses a portion of the proposal in whatwg#3255.
This addresses a portion of the proposal in whatwg#3255.
I am going to try blocking Worker scripts with wrong MIME types in Firefox. |
The friendly folks at HTTP Archive turned on
|
Content Type | Count | |
---|---|---|
application/javascript | 17076 | 97.5326% |
application/x-javascript | 179 | 1.0224% |
text/javascript | 167 | 0.9538% |
text/html | 44 | 0.2513% |
application/octet-stream | 16 | 0.0914% |
application/xml | 14 | 0.0800% |
9 | 0.0514% | |
text/plain | 2 | 0.0114% |
text/x-js | 1 | 0.0057% |
Sec-Fetch-Dest=serviceworker
Content Type | Count | |
---|---|---|
application/javascript | 23531 | 76.7958% |
text/javascript | 4045 | 13.2013% |
application/x-javascript | 1611 | 5.2577% |
text/html | 1006 | 3.2832% |
408 | 1.3315% | |
text/plain | 19 | 0.0620% |
application/xml | 7 | 0.0228% |
application/json | 5 | 0.0163% |
application/binary | 3 | 0.0098% |
application/javascript�text/javascript | 1 | 0.0033% |
application/javascript�application/javascript | 1 | 0.0033% |
application/ecmascript | 1 | 0.0033% |
image/gif | 1 | 0.0033% |
text/css | 1 | 0.0033% |
text/ecmascript | 1 | 0.0033% |
Sec-Fetch-Dest=sharedworker
Content Type | Count | |
---|---|---|
application/x-javascript | 23 | 47.9167% |
application/javascript | 21 | 43.7500% |
text/html | 2 | 4.1667% |
text/javascript | 2 | 4.1667% |
Queries are of the form:
SELECT
JSON_EXTRACT_SCALAR(payload, '$.response.content.mimeType') as type,
count(*) as count
FROM `httparchive.requests.2019_05_01_desktop`
WHERE
STRPOS(payload, '{"name":"Sec-Fetch-Dest","value":"worker"}') != 0
GROUP BY type
The service worker results seem somewhat suspect given that the service worker specification explicitly requires a correct MIME type, if I remember correctly. |
These are just examining the headers of outgoing requests and incoming responses, not necessarily successful executions. |
That said, I'm just blindly trusting the
I wouldn't be shocked if something about HTTP Archive made some pages respond strangely, but it does seem like the data is pointing in a reasonable direction. |
I suspect the non-js SW types are for scripts that are no longer hosted on servers, but there are still clients with registrations asking for updates. Things with text/html are probably 404 pages, etc. |
Nope. Each page load is done with a completely clean browser profile. More
likely there is code in the page still referencing a worker that was
removed (or never created).
…On Tue, May 28, 2019 at 8:26 AM Mike West ***@***.***> wrote:
The data I'm pointing to here is HTTP Archive. I don't think they keep
clients around with state that could affect future runs? @pmeenan
<https://github.com/pmeenan> or @rviscomi <https://github.com/rviscomi>
would know.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3255?email_source=notifications&email_token=AADMOBOSZ2ODIHOKTUPDQSLPXVFKLA5CNFSM4EFHKU52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWMP2QQ#issuecomment-496565570>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADMOBN4T4WPPD5FT7UOMZDPXVFKLANCNFSM4EFHKU5Q>
.
|
I'm willing to try to land this based on your implementation experience. I don't have any additional metrics to point to. So I'll point to yours and see if folks scream. |
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#716121}
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#716121}
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#716121}
We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#716121}
…E type checks for workers., a=testonly Automatic update from web-platform-tests Add a runtime flag to enforce strict MIME type checks for workers. We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#716121} -- wpt-commits: 685bedecda0a8199f4436dc195ad6ad859ad66e7 wpt-pr: 20294
…E type checks for workers., a=testonly Automatic update from web-platform-tests Add a runtime flag to enforce strict MIME type checks for workers. We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Daniel Vogelheim <vogelheimchromium.org> Cr-Commit-Position: refs/heads/master{#716121} -- wpt-commits: 685bedecda0a8199f4436dc195ad6ad859ad66e7 wpt-pr: 20294 UltraBlame original commit: 4b8fbfd0c8b86c00b2370d8773000f6e694b37ab
…E type checks for workers., a=testonly Automatic update from web-platform-tests Add a runtime flag to enforce strict MIME type checks for workers. We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Daniel Vogelheim <vogelheimchromium.org> Cr-Commit-Position: refs/heads/master{#716121} -- wpt-commits: 685bedecda0a8199f4436dc195ad6ad859ad66e7 wpt-pr: 20294 UltraBlame original commit: 4b8fbfd0c8b86c00b2370d8773000f6e694b37ab
…E type checks for workers., a=testonly Automatic update from web-platform-tests Add a runtime flag to enforce strict MIME type checks for workers. We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Daniel Vogelheim <vogelheimchromium.org> Cr-Commit-Position: refs/heads/master{#716121} -- wpt-commits: 685bedecda0a8199f4436dc195ad6ad859ad66e7 wpt-pr: 20294 UltraBlame original commit: 4b8fbfd0c8b86c00b2370d8773000f6e694b37ab
…E type checks for workers., a=testonly Automatic update from web-platform-tests Add a runtime flag to enforce strict MIME type checks for workers. We're currently enforcing strict MIME type checks for `importScripts()` and nested workers. Firefox would like to enforce them for the top-level worker script as well. We should follow suit. This patch also excludes `blob:`, `filesystem:`, and `data:` from scripty MIME type checks. This is the behavior Firefox is shipping, and seems reasonable, given that the risk of sniffing scripts is highest when dealing with resources delivered from a server, rather than resources which are already accessible to the page causing their execution. whatwg/html#3255 https://bugzilla.mozilla.org/show_bug.cgi?id=1583657 Bug: 794548 Change-Id: Ia55621243b8e279a30f457c6a3a20b9fa13cd3d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1917528 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#716121} -- wpt-commits: 685bedecda0a8199f4436dc195ad6ad859ad66e7 wpt-pr: 20294
@mikewest Hey! Nice, I see you landed this back in November. Did you encounter any problems? |
We intent to ship this change with Firefox 75. /cc @annevk |
I'll work on a spec PR |
This is part of the general program of tightening MIME type checks on scripts. d1c3679 introduced enforcement for worker-imported scripts, and this commit completes the picture for workers, leaving only "fetch a classic script" without the check. Closes #3255. This also makes some editorial tweaks to the script fetching algorithms to align with modern conventions, while we're in the area.
This is part of whatwg#3255.
I wonder if we could get some kind of status update here. Seems like Chrome isn't shipping this yet. We just ran into a web compat issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1748157 |
@domenic Have you heard anything? |
I heard a few "I'll look into that", but nobody reached the level of following up, from what I can tell :( |
This policy lets enterprise admins override an upcoming change to MIME type checking for worker scripts and thus limit the potential compatibility impact for their users. This policy is in support of the following spec change / Blink intent: Intent to remove: https://groups.google.com/a/chromium.org/g/blink-dev/c/35t5cJQ3J_Q/ Spec ref: whatwg/html#3255 Bug: 765544 Change-Id: I9b7f4f006acca295e706f9fce8b7a0b77886d3e2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3804723 Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1045886}
This policy lets enterprise admins override an upcoming change to MIME type checking for worker scripts and thus limit the potential compatibility impact for their users. This policy is in support of the following spec change / Blink intent: Intent to remove: https://groups.google.com/a/chromium.org/g/blink-dev/c/35t5cJQ3J_Q/ Spec ref: whatwg/html#3255 Bug: 765544 Change-Id: I9b7f4f006acca295e706f9fce8b7a0b77886d3e2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3804723 Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1045886} NOKEYCHECK=True GitOrigin-RevId: 95b5f2c7b9379f4c6427c07ffe619e9a88a2cbed
8.1.3.2 Fetching scripts says:
Chrome would like to be more strict about the non-module scripts, too. On Chrome's beta channel, we see:
These numbers would probably support blocking non-script MIME types for the "fetch a classic worker script" and "fetch a classic worker-imported script" cases, too, but not (yet) for all script types.
Would this make sense?
@mikewest
The text was updated successfully, but these errors were encountered: