Description
Nagy Renátó
2014-09-02 08:31:34 PDT
Created attachment 237489 [details]
Proposed patch
It would be great to ask the community on webkit-dev mailing list if they want this feature or not. I don't know why others haven't enabled it yet, maybe they have a good reason for it. Is it documented how this interacts with http://mimesniff.spec.whatwg.org/ and resource loading in general? Last I checked this header was not really implemented consistently. > Is it documented how this interacts with http://mimesniff.spec.whatwg.org/ and resource loading in general? Could you please elaborate? http://mimesniff.spec.whatwg.org appears to tell exactly what to do with X-Content-Type-Options: nosniff. Or are you asking whether the implementation matches this spec? That's certainly a valid question, and I do not know the answer. Comment on attachment 237489 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=237489&action=review r- for not having any tests. Also, looks like what this patch does is enable MIME type checking on scripts when the headers field is present. This doesn't appear to be part of the spec that Anne cited. Do other browsers actually do this? In particular, does Chrome still do this? Actual nosniff support needs to be implemented by underlying networking libraries, and CFNetwork does implement it for Safari. Other platforms should probably do this at the same level. > ChangeLog:3 > + Enable of X-Content-Type-Options: nosniff header, and remove #if guards. As Ossy said, this is something that needs to be announced on webkit-dev. But also, if we are to get a new feature, then we need tests for it. Fair. It's not clear to me that specification is correct. We already have tests for nosniff in http/tests/security/contentTypeOptions directory, but they are skipped in TestExpectations of gtk/mac/win/wincairo/wk2 . All of these tests pass on EFL and Mac too with applying the patch. I haven't checked if the implementation and the test fulfil the spec. Google implemented this feature in WebKit era: - added compile time flag - bug109029 - http://trac.webkit.org/changeset/141985 - added implementation and tests - bug71851 - http://trac.webkit.org/changeset/142683 - removed the ifdefs after the Blink fork - https://codereview.chromium.org/13724004 I found only one patch after the fork: https://codereview.chromium.org/185593011 Probably we should merge it to WebKit before enabling. Thanks Ossy! I tried nosniff-script-blocked.html, and it fails in Firefox. I did not try IE. The code that this patch enables appears to implement something that is not specced, and what looks quite strange. Its effect is that X-Content-Type-Options: nosniff does two different things at separate levels of browser stack: 1. It disables Content-Type sniffing, which is implemented by low level networking code such as CFNetwork. 2. It enables strict MIME type checking for scripts. For some context, strict MIME type checking for CSS is enabled with HTML parser strict mode, so it's controlled by the embedding document, not by the script resource itself. It's quite inconsistent to do the opposite for scripts. To proceed with this patch, we need to understand why this makes sense, and it would also be helpful to find out why Mozilla doesn't implement #2. If we decide to not proceed, it would probably be best to remove the code from trunk. (In reply to comment #8) > To proceed with this patch, we need to understand why this makes sense, and it would also be helpful to find out why Mozilla doesn't implement #2. Alexey, it looks like Mozilla doesn't implement X-Content-Type-Options: nosniff at all: https://bugzilla.mozilla.org/show_bug.cgi?id=471020 Thanks Adam, nice discussion in that bug, as they are also unsure what to do with scripts (and then with all other resource types, such as images). Since I last commented https://fetch.spec.whatwg.org/ defines this header in more detail now. I also submitted tests for it to web-platform-tests. Finally, Mozilla has fixed this issue in Firefox 50! https://bugzilla.mozilla.org/show_bug.cgi?id=471020 Created attachment 307846 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Created attachment 307848 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Created attachment 307849 [details]
All-in-one patch for EWS
Created attachment 307852 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Created attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Created attachment 307854 [details]
All-in-one patch for EWS
Created attachment 307856 [details]
All-in-one patch for EWS
Created attachment 307858 [details]
All-in-one patch for EWS
Created attachment 307859 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Comment on attachment 307853 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 307853 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3580348 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307861 [details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307853 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 307853 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3580508 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307864 [details]
Archive of layout-test-results from ews117 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307853 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 307853 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/3580670 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307866 [details]
Archive of layout-test-results from ews102 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307853 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 307853 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3580661 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307867 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307858 [details] All-in-one patch for EWS Attachment 307858 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3580684 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307868 [details]
Archive of layout-test-results from ews104 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307859 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 307859 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3580763 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 307870 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307858 [details] All-in-one patch for EWS Attachment 307858 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/3580882 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307872 [details]
Archive of layout-test-results from ews101 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307859 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 307859 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3580910 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 307875 [details]
Archive of layout-test-results from ews116 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307859 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 307859 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/3581156 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 307876 [details]
Archive of layout-test-results from ews103 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307858 [details] All-in-one patch for EWS Attachment 307858 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3581218 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307880 [details]
Archive of layout-test-results from ews117 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 307859 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 307859 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3581582 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 307881 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307858 [details] All-in-one patch for EWS Attachment 307858 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3581486 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html fast/workers/worker-exception-during-navigation.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307882 [details]
Archive of layout-test-results from ews122 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307858 [details] All-in-one patch for EWS Attachment 307858 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3582344 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html Created attachment 307895 [details]
Archive of layout-test-results from ews126 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 307859 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms View in context: https://bugs.webkit.org/attachment.cgi?id=307859&action=review r=me. > Tools/Scripts/webkitperl/FeatureList.pm:330 > + define => "ENABLE_NOSNIFF", default => (isAppleCocoaWebKit() || isAppleWinWebKit() || isEfl()), value => \$nosniffSupport }, Is EFL still a thing we support? Comment on attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Looks good! r=me.
It looks like the EWS failures are due to general build issues unrelated to this patch. Created attachment 308018 [details]
All-in-one patch for EWS
Created attachment 308024 [details]
All-in-one patch for EWS
Created attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Created attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Comment on attachment 308054 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 308054 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/3599176 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html Created attachment 308060 [details]
Archive of layout-test-results from ews100 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 308054 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 308054 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3599152 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html Created attachment 308061 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 308053 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 308053 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/3599142 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 308062 [details]
Archive of layout-test-results from ews101 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 308053 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 308053 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3599156 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 308063 [details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 308054 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 308054 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3599390 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html Created attachment 308064 [details]
Archive of layout-test-results from ews117 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 308053 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 308053 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3599299 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 308065 [details]
Archive of layout-test-results from ews112 for mac-elcapitan
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Comment on attachment 308054 [details] Part 2: Honor nosniff header for stylesheets, update tests and expected results Attachment 308054 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3599494 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html http/tests/security/contentTypeOptions/nosniff-script-blocked.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html Created attachment 308068 [details]
Archive of layout-test-results from ews125 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Comment on attachment 308053 [details] Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms Attachment 308053 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3599464 New failing tests: imported/w3c/web-platform-tests/fetch/nosniff/script.html imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html Created attachment 308069 [details]
Archive of layout-test-results from ews124 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
(In reply to Build Bot from comment #68) > Comment on attachment 308054 [details] > Part 2: Honor nosniff header for stylesheets, update tests and expected > results > > Attachment 308054 [details] did not pass ios-sim-ews (ios-simulator-wk2): > Output: http://webkit-queues.webkit.org/results/3599494 > > New failing tests: > imported/w3c/web-platform-tests/fetch/nosniff/script.html > http/tests/security/contentTypeOptions/nosniff-script-without-content-type- > blocked.html > http/tests/security/contentTypeOptions/nosniff-script-blocked.html > imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html > imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html > http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html Disregard these failures. Notice that the all-in-one patch (attachment #308024 [details]) passed all EWS bots. This part fails EWS because it unskips nosniff tests but ENABLE(NOSNIFF) is disabled. (In reply to Build Bot from comment #70) > Comment on attachment 308053 [details] > Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows > platforms > > Attachment 308053 [details] did not pass ios-sim-ews (ios-simulator-wk2): > Output: http://webkit-queues.webkit.org/results/3599464 > > New failing tests: > imported/w3c/web-platform-tests/fetch/nosniff/script.html > imported/w3c/web-platform-tests/fetch/nosniff/parsing- Disregard these failures. Notice that the all-in-one patch (attachment #308024 [details]) passed all EWS bots. This part fails EWS because ENABLE(NOSNIFF) is enabled, but it does not contain updated expected results. (In reply to Brent Fulgham from comment #49) > > Tools/Scripts/webkitperl/FeatureList.pm:330 > > + define => "ENABLE_NOSNIFF", default => (isAppleCocoaWebKit() || isAppleWinWebKit() || isEfl()), value => \$nosniffSupport }, > > Is EFL still a thing we support? Will remove before landing as we no longer have EFL build.webkit.org buildbots or EWS bots. Comment on attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
r=me.
Comment on attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
r=me
Committed r215753: <http://trac.webkit.org/changeset/215753> |