New issue
Advanced search Search tips

Issue 765544 link

Starred by 5 users
Status: Assigned
Owner:
vogelheim@chromium.org
Cc:
kouhei@chromium.org
neis@chromium.org
hirosh...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Work towards `nosniff` by default.

Project Member Reported by mkwst@chromium.org, Sep 15 2017 
It would be lovely if we didn't load cross-origin script when delivered as `text/*`. The usage is, unfortunately, huge.

Perhaps we can carve out some pieces if we try. Also, perhaps all the usage is ad networks, which would reduce the impact to users of breakage.

Comment 1 by mkwst@chromium.org, Sep 15 2017

Owner: vogelheim@chromium.org
Daniel, would you mind taking a stab at increasing the granularity of our metrics? Currently, we're measuring things at a very high level in https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/ClassicScript.cpp?l=19

It would be helpful to get more detailed in two ways:

1.  HTML bans a few types that we don't currently ban. We should add specific metrics for `text/plain`, `text/xml`, `application/octet-stream`, and `application/xml`. I imagine `text/html` is going to be massive, but we should split that out too.

2.  It would be helpful to split out document contexts from `importScripts()` in Workers. Perhaps we can be stricter with the latter than we can with the former.
Project Member

Comment 2 by bugdroid1@chromium.org, Oct 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dea1cddff24486b92732bedf6e98f7f1d5a3ed48

commit dea1cddff24486b92732bedf6e98f7f1d5a3ed48
Author: Daniel Vogelheim <vogelheim@chromium.org>
Date: Tue Oct 10 11:08:51 2017

Add UseCounters to measure legacy mime type usage with 'nosniff'.

Bug: 765544
Change-Id: I40feae9fa7e93f87592415db267ac3149f128a60
Reviewed-on: https://chromium-review.googlesource.com/702475
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507635}
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/BUILD.gn
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/dom/ClassicScript.cpp
[add] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/loader/AllowedByNosniff.cpp
[add] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/loader/AllowedByNosniff.h
[add] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/loader/AllowedByNosniffTest.cpp
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/loader/BUILD.gn
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/loader/resource/ScriptResource.cpp
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/loader/resource/ScriptResource.h
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/third_party/WebKit/public/platform/web_feature.mojom
[modify] https://crrev.com/dea1cddff24486b92732bedf6e98f7f1d5a3ed48/tools/metrics/histograms/enums.xml

Comment 3 by elawrence@chromium.org, Nov 21 2017 

The *OriginWorker* numbers look pretty good in favor of blocking, although they may get worse (as workers become more prevalent) unless we start blocking them soon?

Comment 4 by benhenry@chromium.org, Aug 1

Status: Assigned (was: Available)

Sign in to add a comment