New issue
Advanced search Search tips

Issue 795470 link

Starred by 2 users
Status: Assigned
Owner:
lukasza@chromium.org
Cc:
creis@chromium.org
lukasza@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Bug

Blocking:
issue 268640



Sign in to add a comment

CrossOriginReadBlocking::SniffForJSON only detects dictionary values

Project Member Reported by nick@chromium.org, Dec 16 2017 
CrossSiteDocumentClassifier::SniffForJSON only sniffs for dictionary values. However, on the web it's common for other values to occur as JSON responses, including especially lists.

Dictionaries are an interesting case, because while a js program /can/ begin with an '{', it can't begin with '{', a string literal, and a comma. Thus, a sniffing approach can reject JSON dictionaries as definitively "not valid javascript" after the first key name, with high confidence.

For lists, it's less clear. For example, the following is not only legal JS, it might even be a reasonable JS programming pattern:

[1, 2, 3].map(x => console.log(x))
^^^^^^^^^ this is valid JSON; the prefix could be arbitrarily long.

Thus enhancing SniffForJSON to support lists may require buffering the entire response (since a complete JSON list, while a valid JS program, should have no side effects and thus is blockable), or it may require some different handling of ambiguous cases.

Comment 1 by nick@chromium.org, Dec 16 2017

Labels: -Pri-3 Pri-2
Owner: creis@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by creis@chromium.org, Jan 16 2018

Blocking: 268640
Cc: lukasza@chromium.org
Labels: -Pri-2 OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
It's not clear to me that we can do much here other than relying on nosniff headers.  It doesn't seem practical to buffer the entire response in such cases.  I'll leave it open for now in case we come up with an idea, but I don't think it's a blocking issue for the moment.

Comment 3 by creis@chromium.org, Apr 3 2018

Owner: nick@chromium.org
Just reassigning to Nick, since he's come up with an approach that should work when the time comes.

Comment 4 by lukasza@chromium.org, May 22 2018

Summary: CrossOriginReadBlocking::SniffForJSON only detects dictionary values (was: CrossSiteDocumentClassifier::SniffForJSON only detects dictionary values)

Comment 5 by nick@chromium.org, Sep 26

Owner: lukasza@chromium.org
I still think list-sniffing for JSON is a good idea; however, I'm leaving the project.

Here is an out-of-date CL that tries to sniff for JSON lists:

 https://chromium-review.googlesource.com/c/chromium/src/+/849660 

At the heart of it is a simple state machine; while it's effectively a JSON parser, it operates on one character at a time; the only state retained is a stack of state machine values. It is designed to be useful in a streaming case.

The implementation as proposed would continue sniffing until net::kMaxBytesToSniff are encountered -- if it still looks like a JSON list after that point, we can decide to treat it as CORB protected.

Sign in to add a comment