It would be great to ask the community on webkit-dev
mailing list if they want this feature or not.
I don't know why others haven't enabled it yet,
maybe they have a good reason for it.
Is it documented how this interacts with http://mimesniff.spec.whatwg.org/ and resource loading in general? Last I checked this header was not really implemented consistently.
> Is it documented how this interacts with http://mimesniff.spec.whatwg.org/ and resource loading in general?
Could you please elaborate? http://mimesniff.spec.whatwg.org appears to tell exactly what to do with X-Content-Type-Options: nosniff.
Or are you asking whether the implementation matches this spec? That's certainly a valid question, and I do not know the answer.
Comment on attachment 237489[details]
Proposed patch
View in context: https://bugs.webkit.org/attachment.cgi?id=237489&action=review
r- for not having any tests.
Also, looks like what this patch does is enable MIME type checking on scripts when the headers field is present. This doesn't appear to be part of the spec that Anne cited. Do other browsers actually do this? In particular, does Chrome still do this?
Actual nosniff support needs to be implemented by underlying networking libraries, and CFNetwork does implement it for Safari. Other platforms should probably do this at the same level.
> ChangeLog:3
> + Enable of X-Content-Type-Options: nosniff header, and remove #if guards.
As Ossy said, this is something that needs to be announced on webkit-dev.
But also, if we are to get a new feature, then we need tests for it.
We already have tests for nosniff in http/tests/security/contentTypeOptions directory, but they are skipped in TestExpectations of gtk/mac/win/wincairo/wk2 .
All of these tests pass on EFL and Mac too with applying the patch.
I haven't checked if the implementation and the test fulfil the spec.
Google implemented this feature in WebKit era:
- added compile time flag - bug109029 - http://trac.webkit.org/changeset/141985
- added implementation and tests - bug71851 - http://trac.webkit.org/changeset/142683
- removed the ifdefs after the Blink fork - https://codereview.chromium.org/13724004
I found only one patch after the fork: https://codereview.chromium.org/185593011
Probably we should merge it to WebKit before enabling.
Thanks Ossy! I tried nosniff-script-blocked.html, and it fails in Firefox. I did not try IE.
The code that this patch enables appears to implement something that is not specced, and what looks quite strange. Its effect is that X-Content-Type-Options: nosniff does two different things at separate levels of browser stack:
1. It disables Content-Type sniffing, which is implemented by low level networking code such as CFNetwork.
2. It enables strict MIME type checking for scripts. For some context, strict MIME type checking for CSS is enabled with HTML parser strict mode, so it's controlled by the embedding document, not by the script resource itself. It's quite inconsistent to do the opposite for scripts.
To proceed with this patch, we need to understand why this makes sense, and it would also be helpful to find out why Mozilla doesn't implement #2.
If we decide to not proceed, it would probably be best to remove the code from trunk.
(In reply to comment #8)
> To proceed with this patch, we need to understand why this makes sense, and it would also be helpful to find out why Mozilla doesn't implement #2.
Alexey, it looks like Mozilla doesn't implement X-Content-Type-Options: nosniff at all: https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Comment on attachment 307853[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 307853[details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3580348
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Created attachment 307861[details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307853[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 307853[details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3580508
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Created attachment 307864[details]
Archive of layout-test-results from ews117 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307853[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 307853[details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3580670
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Created attachment 307866[details]
Archive of layout-test-results from ews102 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307853[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 307853[details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3580661
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Created attachment 307867[details]
Archive of layout-test-results from ews123 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Created attachment 307868[details]
Archive of layout-test-results from ews104 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Created attachment 307870[details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Created attachment 307872[details]
Archive of layout-test-results from ews101 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Created attachment 307875[details]
Archive of layout-test-results from ews116 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Created attachment 307876[details]
Archive of layout-test-results from ews103 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Created attachment 307880[details]
Archive of layout-test-results from ews117 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Created attachment 307881[details]
Archive of layout-test-results from ews123 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Created attachment 307882[details]
Archive of layout-test-results from ews122 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Created attachment 307895[details]
Archive of layout-test-results from ews126 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307859[details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
View in context: https://bugs.webkit.org/attachment.cgi?id=307859&action=review
r=me.
> Tools/Scripts/webkitperl/FeatureList.pm:330
> + define => "ENABLE_NOSNIFF", default => (isAppleCocoaWebKit() || isAppleWinWebKit() || isEfl()), value => \$nosniffSupport },
Is EFL still a thing we support?
Comment on attachment 308054[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 308054[details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3599176
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Created attachment 308060[details]
Archive of layout-test-results from ews100 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 308054[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 308054[details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3599152
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Created attachment 308061[details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Created attachment 308062[details]
Archive of layout-test-results from ews101 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Created attachment 308063[details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 308054[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 308054[details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3599390
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Created attachment 308064[details]
Archive of layout-test-results from ews117 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Created attachment 308065[details]
Archive of layout-test-results from ews112 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 308054[details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Attachment 308054[details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3599494
New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Created attachment 308068[details]
Archive of layout-test-results from ews125 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Created attachment 308069[details]
Archive of layout-test-results from ews124 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
(In reply to Build Bot from comment #68)
> Comment on attachment 308054[details]
> Part 2: Honor nosniff header for stylesheets, update tests and expected
> results
>
> Attachment 308054[details] did not pass ios-sim-ews (ios-simulator-wk2):
> Output: http://webkit-queues.webkit.org/results/3599494
>
> New failing tests:
> imported/w3c/web-platform-tests/fetch/nosniff/script.html
> http/tests/security/contentTypeOptions/nosniff-script-without-content-type-
> blocked.html
> http/tests/security/contentTypeOptions/nosniff-script-blocked.html
> imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
> imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
> http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Disregard these failures.
Notice that the all-in-one patch (attachment #308024[details]) passed all EWS bots. This part fails EWS because it unskips nosniff tests but ENABLE(NOSNIFF) is disabled.
(In reply to Build Bot from comment #70)
> Comment on attachment 308053[details]
> Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows
> platforms
>
> Attachment 308053[details] did not pass ios-sim-ews (ios-simulator-wk2):
> Output: http://webkit-queues.webkit.org/results/3599464
>
> New failing tests:
> imported/w3c/web-platform-tests/fetch/nosniff/script.html
> imported/w3c/web-platform-tests/fetch/nosniff/parsing-
Disregard these failures.
Notice that the all-in-one patch (attachment #308024[details]) passed all EWS bots. This part fails EWS because ENABLE(NOSNIFF) is enabled, but it does not contain updated expected results.
(In reply to Brent Fulgham from comment #49)
> > Tools/Scripts/webkitperl/FeatureList.pm:330
> > + define => "ENABLE_NOSNIFF", default => (isAppleCocoaWebKit() || isAppleWinWebKit() || isEfl()), value => \$nosniffSupport },
>
> Is EFL still a thing we support?
Will remove before landing as we no longer have EFL build.webkit.org buildbots or EWS bots.
2014-09-02 08:36 PDT, Nagy Renátó
ap: commit-queue-
2017-04-21 17:32 PDT, Daniel Bates
2017-04-21 17:33 PDT, Daniel Bates
2017-04-21 17:34 PDT, Daniel Bates
2017-04-21 17:55 PDT, Daniel Bates
2017-04-21 17:55 PDT, Daniel Bates
buildbot: commit-queue-
2017-04-21 17:55 PDT, Daniel Bates
2017-04-21 18:11 PDT, Daniel Bates
2017-04-21 18:14 PDT, Daniel Bates
2017-04-21 18:14 PDT, Daniel Bates
2017-04-21 18:55 PDT, Build Bot
2017-04-21 19:29 PDT, Build Bot
2017-04-21 19:43 PDT, Build Bot
2017-04-21 19:59 PDT, Build Bot
2017-04-21 20:06 PDT, Build Bot
2017-04-21 20:19 PDT, Build Bot
2017-04-21 20:24 PDT, Build Bot
2017-04-21 20:41 PDT, Build Bot
2017-04-21 20:54 PDT, Build Bot
2017-04-21 21:16 PDT, Build Bot
2017-04-21 22:01 PDT, Build Bot
2017-04-21 22:11 PDT, Build Bot
2017-04-21 23:38 PDT, Build Bot
2017-04-24 16:08 PDT, Daniel Bates
2017-04-24 17:13 PDT, Daniel Bates
2017-04-24 20:08 PDT, Daniel Bates
buildbot: commit-queue-
2017-04-24 20:08 PDT, Daniel Bates
buildbot: commit-queue-
2017-04-24 21:18 PDT, Build Bot
2017-04-24 21:18 PDT, Build Bot
2017-04-24 21:37 PDT, Build Bot
2017-04-24 21:42 PDT, Build Bot
2017-04-24 22:10 PDT, Build Bot
2017-04-24 22:12 PDT, Build Bot
2017-04-24 22:49 PDT, Build Bot
2017-04-24 22:57 PDT, Build Bot