We should implement "Should response to request be blocked due to its MIME type?" from the Fetch spec:
[[
2.7. Should response to request be blocked due to its MIME type?
Run these steps:
1. Let mimeType be the result of extracting a MIME type from response’s header list.
2. Let destination be request’s destination.
3. If destination is script-like and one of the following is true, then return blocked:
mimeType starts with `audio/`, `image/`, or `video/`.
mimeType is `text/csv`.
4. Return allowed.
]]
<https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type?> (16 March 2018)
Comment on attachment 337447[details]
Patch and layout tests
Attachment 337447[details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/7242835
New failing tests:
http/tests/security/cross-origin-cached-scripts-parallel.html
http/tests/security/cross-origin-cached-scripts.html
http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html
imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
Created attachment 337449[details]
Archive of layout-test-results from ews103 for mac-sierra
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103 Port: mac-sierra Platform: Mac OS X 10.12.6
Comment on attachment 337447[details]
Patch and layout tests
Attachment 337447[details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/7242844
New failing tests:
http/tests/security/cross-origin-cached-scripts-parallel.html
http/tests/security/cross-origin-cached-scripts.html
http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html
imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
Created attachment 337450[details]
Archive of layout-test-results from ews125 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.4
Comment on attachment 337447[details]
Patch and layout tests
Attachment 337447[details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/7242858
New failing tests:
http/tests/security/cross-origin-cached-scripts-parallel.html
http/tests/security/cross-origin-cached-scripts.html
http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html
imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
Created attachment 337451[details]
Archive of layout-test-results from ews112 for mac-sierra
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112 Port: mac-sierra Platform: Mac OS X 10.12.6
Comment on attachment 337447[details]
Patch and layout tests
Attachment 337447[details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/7244001
New failing tests:
http/tests/security/cross-origin-cached-scripts-parallel.html
http/tests/security/cross-origin-cached-scripts.html
http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html
imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
Created attachment 337455[details]
Archive of layout-test-results from ews106 for mac-sierra-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
(In reply to Build Bot from comment #11)
> Comment on attachment 337447[details]
> Patch and layout tests
>
> Attachment 337447[details] did not pass mac-wk2-ews (mac-wk2):
> Output: http://webkit-queues.webkit.org/results/7244001
>
> New failing tests:
> http/tests/security/cross-origin-cached-scripts-parallel.html
> http/tests/security/cross-origin-cached-scripts.html
These tests load JavaScript scripts indirectly via the helper script LayoutTests/http/tests/security/resources/allow-if-origin.php. The script allow-if-origin.php returns a response with MIME type image/png in absence of query string argument contentType. We need to update these tests to pass contentType=text/javascript to allow-if-origin.php.
> http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.
> html
This test depended on loading a JavaScript script with MIME type image/png. This is now disallowed.
> imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
Will rebase result as we now pass all sub tests.
Created attachment 337466[details]
Archive of layout-test-results from ews101 for mac-sierra
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101 Port: mac-sierra Platform: Mac OS X 10.12.6
Created attachment 337467[details]
Archive of layout-test-results from ews106 for mac-sierra-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
Created attachment 337468[details]
Archive of layout-test-results from ews113 for mac-sierra
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews113 Port: mac-sierra Platform: Mac OS X 10.12.6
Created attachment 337469[details]
Archive of layout-test-results from ews126 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.4
Comment on attachment 337523[details]
Patch and layout tests
View in context: https://bugs.webkit.org/attachment.cgi?id=337523&action=review> Source/WebCore/dom/LoadableClassicScript.cpp:99
> + if (!m_error && shouldResponseToRequestDestinationBeBlockedDueToMIMEType(m_cachedScript->response(), m_cachedScript->options().destination)) {
This name is hard to digest.
I'd suggest something shorter and less specific.
The method is solely for script destinations and mime types *right now* but I don't think we need to make sure the name makes that so explicitly clear.
I would actually be perfectly happy with "shouldBlockResponse()"
Created attachment 337538[details]
Archive of layout-test-results from ews106 for mac-sierra-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
Created attachment 337539[details]
Archive of layout-test-results from ews125 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.4
Created attachment 337541[details]
Archive of layout-test-results from ews113 for mac-sierra
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews113 Port: mac-sierra Platform: Mac OS X 10.12.6
Created attachment 337555[details]
Archive of layout-test-results from ews100 for mac-sierra
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100 Port: mac-sierra Platform: Mac OS X 10.12.6
This change broke the Windows build:
c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769): error C2220: warning treated as error - no 'object' file generated [C:\cygwin\home\buildbot\slave\win-release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj]
c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769): warning C4715: 'WebCore::destinationForType': not all control paths return a value [C:\cygwin\home\buildbot\slave\win-release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj]
https://build.webkit.org/builders/Apple%20Win%20Release%20%28Build%29/builds/8783
(In reply to Ryan Haddad from comment #34)
> This change broke the Windows build:
>
> c:\cygwin\home\buildbot\slave\win-
> release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769):
> error C2220: warning treated as error - no 'object' file generated
> [C:\cygwin\home\buildbot\slave\win-
> release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj]
> c:\cygwin\home\buildbot\slave\win-
> release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769):
> warning C4715: 'WebCore::destinationForType': not all control paths return a
> value
> [C:\cygwin\home\buildbot\slave\win-
> release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj]
>
> https://build.webkit.org/builders/Apple%20Win%20Release%20%28Build%29/builds/
> 8783
Committed build fix in <https://trac.webkit.org/changeset/230616/>.
2018-04-07 10:22 PDT, Daniel Bates
2018-04-07 20:46 PDT, Daniel Bates
2018-04-07 23:46 PDT, Daniel Bates
2018-04-08 01:00 PDT, EWS Watchlist
2018-04-08 01:24 PDT, EWS Watchlist
2018-04-08 01:27 PDT, EWS Watchlist
2018-04-08 04:38 PDT, EWS Watchlist
2018-04-08 14:07 PDT, Daniel Bates
2018-04-08 15:20 PDT, EWS Watchlist
2018-04-08 15:26 PDT, EWS Watchlist
2018-04-08 15:46 PDT, EWS Watchlist
2018-04-08 15:47 PDT, EWS Watchlist
2018-04-09 12:25 PDT, Daniel Bates
ews-watchlist: commit-queue-
2018-04-09 13:49 PDT, EWS Watchlist
2018-04-09 13:55 PDT, EWS Watchlist
2018-04-09 14:20 PDT, EWS Watchlist
2018-04-09 15:41 PDT, EWS Watchlist