New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 788096 link

Starred by 2 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Nov 2017
Cc:
mkwst@chromium.org
andypaicu@chromium.org
vogelheim@chromium.org
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

CSS should be restricted to reasonable MIME types in quirks mode.

Project Member Reported by mkwst@chromium.org, Nov 23 2017 
The results of http://w3c-test.org/fetch/nosniff/stylesheet.html show that Chrome's currently accepting non-`text/css` MIME types for stylesheets in quirks mode. That's unfortunate, and we should either change it by default, or start supporting `nosniff` on CSS files if we can't.


See discussion in https://github.com/whatwg/fetch/issues/636.

Comment 1 by annevank...@gmail.com, Nov 23 2017 

It's not enforced for quirks mode per the HTML Standard. I suspect it would break too much to remove that quirk. Might be worth investigating again, but maybe separately from fixing the nosniff issue?

Comment 2 by mkwst@chromium.org, Nov 23 2017 

Ah. The quirk is only for same-origin stylesheets. I see. I guess that's quite a bit less risky than I was thinking. :)

I'll add some cross-origin checks to that test, and see if I can slap nosniff support together. Shouldn't be too hard.

Comment 3 by meade@chromium.org, Nov 24 2017

Labels: Hotlist-Polish Update-Quarterly

Comment 4 by mkwst@chromium.org, Nov 24 2017

Owner: mkwst@chromium.org
Status: Started (was: Available)
I jumped on this yesterday because it looked trivial. That'll teach me... Ah well. Intent to ship at https://groups.google.com/a/chromium.org/d/msg/blink-dev/A_ICVgLl2kQ/mrD6bb2wBAAJ.
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 27 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/722937f7116a2c448d0700b6d90318852369c785

commit 722937f7116a2c448d0700b6d90318852369c785
Author: Mike West <mkwst@chromium.org>
Date: Mon Nov 27 11:59:08 2017

Implement 'nosniff' support for stylesheets.

Spec: https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?
Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/A_ICVgLl2kQ/mrD6bb2wBAAJ

Bug:  788096 
Change-Id: I05e30696f5d072892a3de472654dbf464483313b
Reviewed-on: https://chromium-review.googlesource.com/788384
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#519281}
[delete] https://crrev.com/5e3ea73074e0d9c7455b3d8e40b938a7ace7231d/third_party/WebKit/LayoutTests/external/wpt/fetch/nosniff/stylesheet-expected.txt
[modify] https://crrev.com/722937f7116a2c448d0700b6d90318852369c785/third_party/WebKit/Source/core/loader/BaseFetchContext.cpp
[modify] https://crrev.com/722937f7116a2c448d0700b6d90318852369c785/third_party/WebKit/Source/core/loader/BaseFetchContext.h
[modify] https://crrev.com/722937f7116a2c448d0700b6d90318852369c785/third_party/WebKit/Source/platform/loader/fetch/FetchContext.h
[modify] https://crrev.com/722937f7116a2c448d0700b6d90318852369c785/third_party/WebKit/Source/platform/loader/fetch/ResourceLoader.cpp
[modify] https://crrev.com/722937f7116a2c448d0700b6d90318852369c785/third_party/WebKit/Source/platform/loader/fetch/ResourceRequest.h
[modify] https://crrev.com/722937f7116a2c448d0700b6d90318852369c785/third_party/WebKit/Source/platform/loader/testing/MockFetchContext.h

Comment 6 by mkwst@chromium.org, Nov 27 2017

Status: Fixed (was: Started)

Sign in to add a comment