Skip to content

Commit

Permalink
Add MIME types that are never sniffed
Browse files Browse the repository at this point in the history 
Closes #10.
  • Loading branch information
@annevk
annevk authored Jan 15, 2021
1 parent adee579 commit 6268458
Showing 1 changed file with 45 additions and 8 deletions.
53 changes: 45 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,46 @@ CSS, JavaScript, and media (audio, images, video) can be requested across origin

## Processing model

An **opaque-blocklist MIME type** is an [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type), [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type), or [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type).
An **opaque-safelisted MIME type** is a [JavaScript MIME type](https://mimesniff.spec.whatwg.org/#javascript-mime-type) or a MIME type whose essence is "`text/css`" or "`image/svg+xml`".

An **opaque-blocklisted MIME type** is an [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type), [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type), or [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type).

An **opaque-blocklisted-never-sniffed MIME type** is a MIME type whose essence is one of

* "`application/gzip`"
* "`application/msexcel`"
* "`application/mspowerpoint`"
* "`application/msword`"
* "`application/msword-template`"
* "`application/pdf`"
* "`application/vnd.ces-quickpoint`"
* "`application/vnd.ces-quicksheet`"
* "`application/vnd.ces-quickword`"
* "`application/vnd.ms-excel`"
* "`application/vnd.ms-excel.sheet.macroenabled.12`"
* "`application/vnd.ms-powerpoint`"
* "`application/vnd.ms-powerpoint.presentation.macroenabled.12`"
* "`application/vnd.ms-word`"
* "`application/vnd.ms-word.document.12`"
* "`application/vnd.ms-word.document.macroenabled.12`"
* "`application/vnd.msword`"
* "`application/vnd.openxmlformats-officedocument.presentationml.presentation`"
* "`application/vnd.openxmlformats-officedocument.presentationml.template`"
* "`application/vnd.openxmlformats-officedocument.spreadsheetml.sheet`"
* "`application/vnd.openxmlformats-officedocument.spreadsheetml.template`"
* "`application/vnd.openxmlformats-officedocument.wordprocessingml.document`"
* "`application/vnd.openxmlformats-officedocument.wordprocessingml.template`"
* "`application/vnd.presentation-openxml`"
* "`application/vnd.presentation-openxmlm`"
* "`application/vnd.spreadsheet-openxml`"
* "`application/vnd.wordprocessing-openxml`"
* "`application/x-gzip`"
* "`application/x-protobuf`"
* "`application/zip`"
* "`multipart/byteranges`"
* "`multipart/signed`"
* "`text/event-stream`"
* "`text/csv`"

A user agent has an **opaque-safelisted requesters set**. (This should be scoped similar to other network caches.)

Expand All @@ -23,11 +62,10 @@ To determine whether to allow response _response_ to a request _request_, run th
1. Let _mimeType_ be the result of [extracting a MIME type](https://fetch.spec.whatwg.org/#concept-header-extract-mime-type) from _response_'s header list.
1. Let _nosniff_ be the result of [determining nosniff](https://fetch.spec.whatwg.org/#determine-nosniff) given _response_'s header list.
1. If _mimeType_ is not failure, then:
1. If _mimeType_ is a [JavaScript MIME type](https://mimesniff.spec.whatwg.org/#javascript-mime-type), then return true.
1. If _mimeType_'s essence is "`text/css`", then return true.
1. If _mimeType_'s essence is "`image/svg+xml`", then return true.
1. If _response_'s status is `206` and _mimeType_ is an opaque-blocklist MIME type, then return false. TODO: is this needed with the requesters set?
1. If _nosniff_ is true and _mimeType_ is an opaque-blocklist MIME type or its essence is "`text/plain`", then return false.
1. If _mimeType_ is an opaque-safelisted MIME type, then return true.
1. If _mimeType_ is an opaque-blocklisted-never-sniffed MIME type, then return false.
1. If _response_'s status is `206` and _mimeType_ is an opaque-blocklisted MIME type, then return false. TODO: is this needed with the requesters set?
1. If _nosniff_ is true and _mimeType_ is an opaque-blocklisted MIME type or its essence is "`text/plain`", then return false.
1. If the user agent's opaque-safelisted requesters set contains (_request_'s opaque media identifier, _request_'s current URL), then return true.
1. Wait for 1024 bytes of _response_ or end-of-file, whichever comes first and let _bytes_ be those bytes.
1. If the [image type pattern matching algorithm](https://mimesniff.spec.whatwg.org/#image-type-pattern-matching-algorithm) given _bytes_ does not return undefined, then return true.
Expand All @@ -38,7 +76,6 @@ To determine whether to allow response _response_ to a request _request_, run th
1. If _response_'s status is not an [ok status](https://fetch.spec.whatwg.org/#ok-status), then return false.
1. If _mimeType_ is failure, then return true.
1. If _mimeType_'s essence starts with "`audio/`", "`image/`", or "`video/`", then return false.
1. If _mimeType_'s essence is "`text/csv`", then return false.
1. If _response_'s body parses as JavaScript and does not parse as JSON, then return true.
1. Return false.

Expand All @@ -51,4 +88,4 @@ Note: responses for which the above algorithm returns true and contain secrets a

## Acknowledgments

Many thanks to Jake Archibald, Lukasz Anforowicz, and Nathan Froyd.
Many thanks to Jake Archibald, Lukasz Anforowicz, Nathan Froyd, and those involved in Chromium's CORB project.

0 comments on commit 6268458

Please sign in to comment.