Bug 136452

Summary: [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
Product: WebKit Reporter: Nagy Renátó <rnagy>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: annevk, ap, aroben, bfulgham, buildbot, commit-queue, dbates, esprehn+autocc, gyuyoung.kim, japhet, kangil.han, miyajan777, mkwst, ossy, rakuco, rniwa, ryuan.choi, sergio, syoichi, teppeis
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 157145, 171248    
Attachments:
Description Flags
Proposed patch
ap: review-, ap: commit-queue-
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
none
Part 2: Honor nosniff header for stylesheets, update tests and expected results
none
All-in-one patch for EWS
none
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
none
Part 2: Honor nosniff header for stylesheets, update tests and expected results
bfulgham: review+, buildbot: commit-queue-
All-in-one patch for EWS
none
All-in-one patch for EWS
none
All-in-one patch for EWS
buildbot: commit-queue-
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
buildbot: commit-queue-
Archive of layout-test-results from ews105 for mac-elcapitan-wk2
none
Archive of layout-test-results from ews117 for mac-elcapitan
none
Archive of layout-test-results from ews102 for mac-elcapitan
none
Archive of layout-test-results from ews123 for ios-simulator-wk2
none
Archive of layout-test-results from ews104 for mac-elcapitan-wk2
none
Archive of layout-test-results from ews107 for mac-elcapitan-wk2
none
Archive of layout-test-results from ews101 for mac-elcapitan
none
Archive of layout-test-results from ews116 for mac-elcapitan
none
Archive of layout-test-results from ews103 for mac-elcapitan
none
Archive of layout-test-results from ews117 for mac-elcapitan
none
Archive of layout-test-results from ews123 for ios-simulator-wk2
none
Archive of layout-test-results from ews122 for ios-simulator-wk2
none
Archive of layout-test-results from ews126 for ios-simulator-wk2
none
All-in-one patch for EWS
none
All-in-one patch for EWS
none
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
bfulgham: review+, buildbot: commit-queue-
Part 2: Honor nosniff header for stylesheets, update tests and expected results
bfulgham: review+, buildbot: commit-queue-
Archive of layout-test-results from ews100 for mac-elcapitan
none
Archive of layout-test-results from ews107 for mac-elcapitan-wk2
none
Archive of layout-test-results from ews101 for mac-elcapitan
none
Archive of layout-test-results from ews106 for mac-elcapitan-wk2
none
Archive of layout-test-results from ews117 for mac-elcapitan
none
Archive of layout-test-results from ews112 for mac-elcapitan
none
Archive of layout-test-results from ews125 for ios-simulator-wk2
none
Archive of layout-test-results from ews124 for ios-simulator-wk2 none

Description Nagy Renátó 2014-09-02 08:31:34 PDT
The support of X-Content-Type-Options: nosniff header for EFL was enabled in https://trac.webkit.org/changeset/164848 and https://trac.webkit.org/changeset/164848.

This patch removes the #if guards and
enables it on all platforms unconditionally.
Comment 1 Nagy Renátó 2014-09-02 08:36:46 PDT
Created attachment 237489 [details]
Proposed patch
Comment 2 Csaba Osztrogonác 2014-09-02 09:33:22 PDT
It would be great to ask the community on webkit-dev 
mailing list if they want this feature or not.

I don't know why others haven't enabled it yet,
maybe they have a good reason for it.
Comment 3 Anne van Kesteren 2014-09-02 11:24:46 PDT
Is it documented how this interacts with http://mimesniff.spec.whatwg.org/ and resource loading in general? Last I checked this header was not really implemented consistently.
Comment 4 Alexey Proskuryakov 2014-09-02 23:44:55 PDT
> Is it documented how this interacts with http://mimesniff.spec.whatwg.org/ and resource loading in general?

Could you please elaborate? http://mimesniff.spec.whatwg.org appears to tell exactly what to do with X-Content-Type-Options: nosniff.

Or are you asking whether the implementation matches this spec? That's certainly a valid question, and I do not know the answer.
Comment 5 Alexey Proskuryakov 2014-09-02 23:57:42 PDT
Comment on attachment 237489 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=237489&action=review

r- for not having any tests.

Also, looks like what this patch does is enable MIME type checking on scripts when the headers field is present. This doesn't appear to be part of the spec that Anne cited. Do other browsers actually do this? In particular, does Chrome still do this?

Actual nosniff support needs to be implemented by underlying networking libraries, and CFNetwork does implement it for Safari. Other platforms should probably do this at the same level.

> ChangeLog:3
> +        Enable of X-Content-Type-Options: nosniff header, and remove #if guards.

As Ossy said, this is something that needs to be announced on webkit-dev.

But also, if we are to get a new feature, then we need tests for it.
Comment 6 Anne van Kesteren 2014-09-03 02:12:50 PDT
Fair. It's not clear to me that specification is correct.
Comment 7 Csaba Osztrogonác 2014-09-04 01:55:20 PDT
We already have tests for nosniff in http/tests/security/contentTypeOptions directory, but they are skipped in TestExpectations of gtk/mac/win/wincairo/wk2 .

All of these tests pass on EFL and Mac too with applying the patch. 
I haven't checked if the implementation and the test fulfil the spec.

Google implemented this feature in WebKit era:
- added compile time flag - bug109029 - http://trac.webkit.org/changeset/141985
- added implementation and tests - bug71851 - http://trac.webkit.org/changeset/142683
- removed the ifdefs after the Blink fork - https://codereview.chromium.org/13724004

I found only one patch after the fork: https://codereview.chromium.org/185593011
Probably we should merge it to WebKit before enabling.
Comment 8 Alexey Proskuryakov 2014-09-04 09:27:05 PDT
Thanks Ossy! I tried nosniff-script-blocked.html, and it fails in Firefox. I did not try IE.

The code that this patch enables appears to implement something that is not specced, and what looks quite strange. Its effect is that X-Content-Type-Options: nosniff does two different things at separate levels of browser stack:

1. It disables Content-Type sniffing, which is implemented by low level networking code such as CFNetwork.

2. It enables strict MIME type checking for scripts. For some context, strict MIME type checking for CSS is enabled with HTML parser strict mode, so it's controlled by the embedding document, not by the script resource itself. It's quite inconsistent to do the opposite for scripts.

To proceed with this patch, we need to understand why this makes sense, and it would also be helpful to find out why Mozilla doesn't implement #2.

If we decide to not proceed, it would probably be best to remove the code from trunk.
Comment 9 Adam Roben (:aroben) 2014-09-23 07:53:15 PDT
(In reply to comment #8)
> To proceed with this patch, we need to understand why this makes sense, and it would also be helpful to find out why Mozilla doesn't implement #2.

Alexey, it looks like Mozilla doesn't implement X-Content-Type-Options: nosniff at all: https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Comment 10 Alexey Proskuryakov 2014-09-23 10:51:03 PDT
Thanks Adam, nice discussion in that bug, as they are also unsure what to do with scripts (and then with all other resource types, such as images).
Comment 11 Brent Fulgham 2015-11-05 15:24:04 PST
<rdar://problem/23412620>
Comment 12 Anne van Kesteren 2015-11-06 08:02:18 PST
Since I last commented https://fetch.spec.whatwg.org/ defines this header in more detail now. I also submitted tests for it to web-platform-tests.
Comment 13 teppeis 2016-07-20 20:47:05 PDT
Finally, Mozilla has fixed this issue in Firefox 50!
https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Comment 14 Daniel Bates 2017-04-21 17:32:18 PDT
Created attachment 307846 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Comment 15 Daniel Bates 2017-04-21 17:33:17 PDT
Created attachment 307848 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Comment 16 Daniel Bates 2017-04-21 17:34:11 PDT
Created attachment 307849 [details]
All-in-one patch for EWS
Comment 17 Daniel Bates 2017-04-21 17:55:05 PDT
Created attachment 307852 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Comment 18 Daniel Bates 2017-04-21 17:55:24 PDT
Created attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Comment 19 Daniel Bates 2017-04-21 17:55:56 PDT
Created attachment 307854 [details]
All-in-one patch for EWS
Comment 20 Daniel Bates 2017-04-21 18:11:15 PDT
Created attachment 307856 [details]
All-in-one patch for EWS
Comment 21 Daniel Bates 2017-04-21 18:14:28 PDT
Created attachment 307858 [details]
All-in-one patch for EWS
Comment 22 Daniel Bates 2017-04-21 18:14:51 PDT
Created attachment 307859 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Comment 23 Build Bot 2017-04-21 18:55:24 PDT
Comment on attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 307853 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3580348

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 24 Build Bot 2017-04-21 18:55:25 PDT
Created attachment 307861 [details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 25 Build Bot 2017-04-21 19:29:47 PDT
Comment on attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 307853 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3580508

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 26 Build Bot 2017-04-21 19:29:49 PDT
Created attachment 307864 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 27 Build Bot 2017-04-21 19:43:28 PDT
Comment on attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 307853 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3580670

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 28 Build Bot 2017-04-21 19:43:30 PDT
Created attachment 307866 [details]
Archive of layout-test-results from ews102 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 29 Build Bot 2017-04-21 19:59:21 PDT
Comment on attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 307853 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3580661

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 30 Build Bot 2017-04-21 19:59:23 PDT
Created attachment 307867 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 31 Build Bot 2017-04-21 20:06:11 PDT
Comment on attachment 307858 [details]
All-in-one patch for EWS

Attachment 307858 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3580684

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 32 Build Bot 2017-04-21 20:06:12 PDT
Created attachment 307868 [details]
Archive of layout-test-results from ews104 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 33 Build Bot 2017-04-21 20:19:19 PDT
Comment on attachment 307859 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 307859 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3580763

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 34 Build Bot 2017-04-21 20:19:21 PDT
Created attachment 307870 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 35 Build Bot 2017-04-21 20:24:46 PDT
Comment on attachment 307858 [details]
All-in-one patch for EWS

Attachment 307858 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3580882

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 36 Build Bot 2017-04-21 20:24:48 PDT
Created attachment 307872 [details]
Archive of layout-test-results from ews101 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 37 Build Bot 2017-04-21 20:41:31 PDT
Comment on attachment 307859 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 307859 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3580910

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 38 Build Bot 2017-04-21 20:41:33 PDT
Created attachment 307875 [details]
Archive of layout-test-results from ews116 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 39 Build Bot 2017-04-21 20:54:08 PDT
Comment on attachment 307859 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 307859 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3581156

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 40 Build Bot 2017-04-21 20:54:09 PDT
Created attachment 307876 [details]
Archive of layout-test-results from ews103 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 41 Build Bot 2017-04-21 21:16:25 PDT
Comment on attachment 307858 [details]
All-in-one patch for EWS

Attachment 307858 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3581218

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 42 Build Bot 2017-04-21 21:16:27 PDT
Created attachment 307880 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 43 Build Bot 2017-04-21 22:01:40 PDT
Comment on attachment 307859 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 307859 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3581582

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 44 Build Bot 2017-04-21 22:01:42 PDT
Created attachment 307881 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 45 Build Bot 2017-04-21 22:11:01 PDT
Comment on attachment 307858 [details]
All-in-one patch for EWS

Attachment 307858 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3581486

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
fast/workers/worker-exception-during-navigation.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 46 Build Bot 2017-04-21 22:11:03 PDT
Created attachment 307882 [details]
Archive of layout-test-results from ews122 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 47 Build Bot 2017-04-21 23:38:14 PDT
Comment on attachment 307858 [details]
All-in-one patch for EWS

Attachment 307858 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3582344

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html
Comment 48 Build Bot 2017-04-21 23:38:16 PDT
Created attachment 307895 [details]
Archive of layout-test-results from ews126 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 49 Brent Fulgham 2017-04-24 10:06:33 PDT
Comment on attachment 307859 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

View in context: https://bugs.webkit.org/attachment.cgi?id=307859&action=review

r=me.

> Tools/Scripts/webkitperl/FeatureList.pm:330
> +      define => "ENABLE_NOSNIFF", default => (isAppleCocoaWebKit() || isAppleWinWebKit() || isEfl()), value => \$nosniffSupport },

Is EFL still a thing we support?
Comment 50 Brent Fulgham 2017-04-24 10:13:49 PDT
Comment on attachment 307853 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Looks good! r=me.
Comment 51 Brent Fulgham 2017-04-24 10:14:32 PDT
It looks like the EWS failures are due to general build issues unrelated to this patch.
Comment 52 Daniel Bates 2017-04-24 16:08:27 PDT
Created attachment 308018 [details]
All-in-one patch for EWS
Comment 53 Daniel Bates 2017-04-24 17:13:45 PDT
Created attachment 308024 [details]
All-in-one patch for EWS
Comment 54 Daniel Bates 2017-04-24 20:08:21 PDT
Created attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms
Comment 55 Daniel Bates 2017-04-24 20:08:57 PDT
Created attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results
Comment 56 Build Bot 2017-04-24 21:18:16 PDT
Comment on attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 308054 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3599176

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Comment 57 Build Bot 2017-04-24 21:18:18 PDT
Created attachment 308060 [details]
Archive of layout-test-results from ews100 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 58 Build Bot 2017-04-24 21:18:41 PDT
Comment on attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 308054 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3599152

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Comment 59 Build Bot 2017-04-24 21:18:43 PDT
Created attachment 308061 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 60 Build Bot 2017-04-24 21:37:10 PDT
Comment on attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 308053 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/3599142

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 61 Build Bot 2017-04-24 21:37:12 PDT
Created attachment 308062 [details]
Archive of layout-test-results from ews101 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 62 Build Bot 2017-04-24 21:42:24 PDT
Comment on attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 308053 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3599156

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 63 Build Bot 2017-04-24 21:42:26 PDT
Created attachment 308063 [details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 64 Build Bot 2017-04-24 22:10:44 PDT
Comment on attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 308054 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3599390

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Comment 65 Build Bot 2017-04-24 22:10:46 PDT
Created attachment 308064 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 66 Build Bot 2017-04-24 22:12:12 PDT
Comment on attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 308053 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3599299

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 67 Build Bot 2017-04-24 22:12:14 PDT
Created attachment 308065 [details]
Archive of layout-test-results from ews112 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 68 Build Bot 2017-04-24 22:49:04 PDT
Comment on attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

Attachment 308054 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3599494

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
Comment 69 Build Bot 2017-04-24 22:49:06 PDT
Created attachment 308068 [details]
Archive of layout-test-results from ews125 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 70 Build Bot 2017-04-24 22:57:56 PDT
Comment on attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

Attachment 308053 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3599464

New failing tests:
imported/w3c/web-platform-tests/fetch/nosniff/script.html
imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
Comment 71 Build Bot 2017-04-24 22:57:58 PDT
Created attachment 308069 [details]
Archive of layout-test-results from ews124 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews124  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6
Comment 72 Daniel Bates 2017-04-25 03:23:58 PDT
(In reply to Build Bot from comment #68)
> Comment on attachment 308054 [details]
> Part 2: Honor nosniff header for stylesheets, update tests and expected
> results
> 
> Attachment 308054 [details] did not pass ios-sim-ews (ios-simulator-wk2):
> Output: http://webkit-queues.webkit.org/results/3599494
> 
> New failing tests:
> imported/w3c/web-platform-tests/fetch/nosniff/script.html
> http/tests/security/contentTypeOptions/nosniff-script-without-content-type-
> blocked.html
> http/tests/security/contentTypeOptions/nosniff-script-blocked.html
> imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff.html
> imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html
> http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html

Disregard these failures.

Notice that the all-in-one patch (attachment #308024 [details]) passed all EWS bots. This part fails EWS because it unskips nosniff tests but ENABLE(NOSNIFF) is disabled.
Comment 73 Daniel Bates 2017-04-25 03:25:41 PDT
(In reply to Build Bot from comment #70)
> Comment on attachment 308053 [details]
> Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows
> platforms
> 
> Attachment 308053 [details] did not pass ios-sim-ews (ios-simulator-wk2):
> Output: http://webkit-queues.webkit.org/results/3599464
> 
> New failing tests:
> imported/w3c/web-platform-tests/fetch/nosniff/script.html
> imported/w3c/web-platform-tests/fetch/nosniff/parsing-

Disregard these failures.

Notice that the all-in-one patch (attachment #308024 [details]) passed all EWS bots. This part fails EWS because ENABLE(NOSNIFF) is enabled, but it does not contain updated expected results.
Comment 74 Daniel Bates 2017-04-25 03:30:05 PDT
(In reply to Brent Fulgham from comment #49)
> > Tools/Scripts/webkitperl/FeatureList.pm:330
> > +      define => "ENABLE_NOSNIFF", default => (isAppleCocoaWebKit() || isAppleWinWebKit() || isEfl()), value => \$nosniffSupport },
> 
> Is EFL still a thing we support?

Will remove before landing as we no longer have EFL build.webkit.org buildbots or EWS bots.
Comment 75 Brent Fulgham 2017-04-25 08:48:51 PDT
Comment on attachment 308053 [details]
Part 1: Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms

r=me.
Comment 76 Brent Fulgham 2017-04-25 08:50:11 PDT
Comment on attachment 308054 [details]
Part 2: Honor nosniff header for stylesheets, update tests and expected results

r=me
Comment 77 Daniel Bates 2017-04-25 13:26:21 PDT
Committed r215753: <http://trac.webkit.org/changeset/215753>