Issue 809259 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	lukasza@chromium.org
Closed:	Feb 2018
Cc:	█ nick@chromium.org domenic@chromium.org wfh@chromium.org creis@chromium.org
Components:	Internals>Sandbox>SiteIsolation
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Blocking:
issue 268640

JSON parser breaking sniffing in XSDB can theoretically block valid text/css responses

Project Member Reported by lukasza@chromium.org, Feb 5 2018

Issue description

It is possible to craft a text/css response that
1) contains a JSON parser breaker at the beginning
2) is still parsing fine as a stylesheet

For example:
    )]}'
    {}
    h1 { color: red; }

We should tweak XSDB's implementation so that it doesn't block such responses.

Comment 1 by domenic@chromium.org, Feb 6 2018

If I understand correctly, XSDB would only block these in cases where it's cross-origin but contains an empty/missing Content-Type header. And, per spec, those should be blocked anyway. (But they are not in Chrome.)

I've filed https://github.com/whatwg/html/issues/3457 on the spec to investigate whether allowing empty/missing Content-Type headers is a Chrome-only quirk which we can fix in Chrome, or whether it's something all browsers do which we need to codify in the spec and account for.

Comment 2 by domenic@chromium.org, Feb 6 2018

Hmm, sorry, maybe I misunderstood this bug, and it's about cases that have correct Content-Type headers but also have JSON parser breakers inside them. If so, please disregard my previous comment.

Comment 3 by lukasza@chromium.org, Feb 6 2018

Owner: lukasza@chromium.org
Status: Started (was: Untriaged)

WIP CL @ https://chromium-review.googlesource.com/905634

RE: #c2 - yes this bug is about stylesheets served with the correct text/css MIME, but possibly blocked by XSDB because of JSON parser breaker at the beginning.

Project Member

Comment 4 by bugdroid1@chromium.org, Feb 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/984653dce0cb862eef0753d6f1e08932ed61cde9

commit 984653dce0cb862eef0753d6f1e08932ed61cde9
Author: Lukasz Anforowicz <lukasza@chromium.org>
Date: Fri Feb 09 21:45:35 2018

XSDB: don't sniff for JSON parser breaker in text/css responses.

Bug:  809259 
Change-Id: I0b05c2955cf25e049c1558dc40e86b5e8e144371
Reviewed-on: https://chromium-review.googlesource.com/905634
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Nick Carter <nick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#535838}
[modify] https://crrev.com/984653dce0cb862eef0753d6f1e08932ed61cde9/content/browser/loader/cross_site_document_resource_handler.cc
[modify] https://crrev.com/984653dce0cb862eef0753d6f1e08932ed61cde9/content/browser/loader/cross_site_document_resource_handler.h
[add] https://crrev.com/984653dce0cb862eef0753d6f1e08932ed61cde9/third_party/WebKit/LayoutTests/external/wpt/fetch/corb/README.md
[add] https://crrev.com/984653dce0cb862eef0753d6f1e08932ed61cde9/third_party/WebKit/LayoutTests/external/wpt/fetch/corb/css-with-json-parser-breaker.sub.html
[add] https://crrev.com/984653dce0cb862eef0753d6f1e08932ed61cde9/third_party/WebKit/LayoutTests/external/wpt/fetch/corb/resources/css-with-json-parser-breaker.css

Comment 5 by lukasza@chromium.org, Feb 9 2018

Status: Fixed (was: Started)

►

Issue 809259 link

Issue metadata

JSON parser breaking sniffing in XSDB can theoretically block valid text/css responses

Issue description

Comment 1 by domenic@chromium.org, Feb 6 2018

Comment 1 Deleted

Comment 2 by domenic@chromium.org, Feb 6 2018

Comment 2 Deleted

Comment 3 by lukasza@chromium.org, Feb 6 2018

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Feb 9 2018

Comment 4 Deleted

Comment 5 by lukasza@chromium.org, Feb 9 2018

Comment 5 Deleted

Sign in to add a comment