Bug 171678

Summary: Cleanup: Extract CachedScript::mimeTypeAllowedByNosniff() into a common function
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, buildbot, cdumez, esprehn+autocc, japhet, kangil.han
Priority: P2    
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch aestes: review+

Daniel Bates
Reported 2017-05-04 11:33:22 PDT
CachedScript::mimeType() is only used by CachedScript::mimeTypeAllowedByNosniff(). Moreover, it is unnecessary to lowercase the MIME type before querying MIMETypeRegistry as MIMETypeRegistry performs lookup case-insensitively. We should remove the lowercase conversion and inline CachedScript::mimeType() into CachedScript::mimeTypeAllowedByNosniff().
Attachments
Patch (7.81 KB, patch)
2017-05-04 11:59 PDT, Daniel Bates 		aestes: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2017-05-04 11:51:17 PDT
Even better, we should extract CachedScript::mimeTypeAllowedByNosniff() into a common function that can be shared by LoadableClassicScript and WorkerScriptLoader.
Daniel Bates
Comment 2 2017-05-04 11:59:26 PDT
Created attachment 309075 [details] Patch
Daniel Bates
Comment 3 2017-05-04 12:02:46 PDT
I am open to suggestions on the name and placement of isScriptAllowedByNosniff(). When I wrote the patch (attachment #309075 [details]) I put this function in ResourceResponseBase.{cpp, h} because it operates on a ResourceResponse.
Andy Estes
Comment 4 2017-05-04 12:06:20 PDT
Comment on attachment 309075 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=309075&action=review > Source/WebCore/platform/network/ResourceResponseBase.cpp:47 > + String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)); > + return parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName::XContentTypeOptions)) != ContentTypeOptionsNosniff || MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType); Seems like this could be broken up a bit. For instance, if parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName::XContentTypeOptions)) is true then you don't need to compute the mimeType from the ContentType header.
Andy Estes
Comment 5 2017-05-04 12:07:05 PDT
(In reply to Andy Estes from comment #4) > Comment on attachment 309075 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=309075&action=review > > > Source/WebCore/platform/network/ResourceResponseBase.cpp:47 > > + String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)); > > + return parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName::XContentTypeOptions)) != ContentTypeOptionsNosniff || MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType); > > Seems like this could be broken up a bit. For instance, if > parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName:: > XContentTypeOptions)) is true ... is not ContentTypeOptionsNosniff, that is.
Daniel Bates
Comment 6 2017-05-04 12:48:05 PDT
(In reply to Andy Estes from comment #4) > Comment on attachment 309075 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=309075&action=review > > > Source/WebCore/platform/network/ResourceResponseBase.cpp:47 > > + String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)); > > + return parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName::XContentTypeOptions)) != ContentTypeOptionsNosniff || MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType); > > Seems like this could be broken up a bit. For instance, if > parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName:: > XContentTypeOptions)) is true then you don't need to compute the mimeType > from the ContentType header. Wow, I need more sleep. Will update code before landing to implement isScriptAllowedByNosniff() as follows: bool isScriptAllowedByNosniff(const ResourceResponse& response) { if (parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName::XContentTypeOptions)) != ContentTypeOptionsNosniff) return true; String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)); return MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType); }
Daniel Bates
Comment 7 2017-05-04 12:49:55 PDT
Committed r216199: <http://trac.webkit.org/changeset/216199>
Note You need to log in before you can comment on or make changes to this bug.