Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stricter filter for responses without MIME type #28

Open
annevk opened this issue Oct 4, 2021 · 0 comments
Open

Stricter filter for responses without MIME type #28

annevk opened this issue Oct 4, 2021 · 0 comments
Labels

Comments

@annevk
Copy link
Owner

annevk commented Oct 4, 2021

@tomrittervg inspired me to revisit whatwg/fetch#964 which is the main reason we have this step currently:

If mimeType is failure, then return true.

At this point in the algorithm we only care about responses that are CSS or JavaScript and want to block everything else. So a thing that could be done here in theory:

  1. If mimeType is not failure and it's essence starts with "audio/", "image/", or "video/", then return false.
  2. If response's body parses as JavaScript and does not parse as JSON, then return true.
  3. If mimeType is not failure, then return false. (Because CSS either needs text/css (which is safelisted early) or failure.)
  4. We parse as CSS, then serialize the result and return that in a fresh response body. (This should end up hiding a lot of information as while everything can be parsed as CSS, a lot of things end up being dropped in the process of doing so.)

This would require the oracle process to run more often (can be somewhat offset with #27 perhaps), but it would block even more problematic cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant