RESOLVED FIXED 171248
importScripts() should respect X-Content-Type-Options: nosniff 
https://bugs.webkit.org/show_bug.cgi?id=171248
Summary importScripts() should respect X-Content-Type-Options: nosniff
Daniel Bates
Reported 2017-04-24 13:56:57 PDT
Fetching a worker-imported script should respect the X-Content-Type-Options: nosniff header as such a fetch is ultimately a "main fetch" and according to "main fetch": [[ 17. If response is not a network error and any of the following algorithms returns blocked, then set response and internalResponse to a network error: ... should internalResponse to request be blocked due to no sniff ]] <https://fetch.spec.whatwg.org/#main-fetch> (30 March 2017) This functionality is exercised by the Web Platform Test <https://trac.webkit.org/browser/trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html?rev=200195>.
Attachments
Patch (7.05 KB, patch)
2017-05-03 14:45 PDT, Daniel Bates 		aestes: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-04-25 13:14:38 PDT
<rdar://problem/31819023>
Daniel Bates
Comment 2 2017-05-03 14:45:29 PDT
Created attachment 308957 [details] Patch
Andy Estes
Comment 3 2017-05-04 11:20:32 PDT
Comment on attachment 308957 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=308957&action=review > Source/WebCore/workers/WorkerScriptLoader.cpp:2 > + * Copyright (C) 2009, 2017 Apple Inc. All Rights Reserved. 2009-2017 > Source/WebCore/workers/WorkerScriptLoader.cpp:119 > + String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)).convertToASCIILowercase(); Do you need to convert to ASCII lowercase here? MIMETypeRegistry does case-insensitive comparisons.
Daniel Bates
Comment 4 2017-05-04 11:23:51 PDT
(In reply to Andy Estes from comment #3) > Comment on attachment 308957 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=308957&action=review > > > Source/WebCore/workers/WorkerScriptLoader.cpp:2 > > + * Copyright (C) 2009, 2017 Apple Inc. All Rights Reserved. > > 2009-2017 > Will fix. > > Source/WebCore/workers/WorkerScriptLoader.cpp:119 > > + String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)).convertToASCIILowercase(); > > Do you need to convert to ASCII lowercase here? MIMETypeRegistry does > case-insensitive comparisons. You're right! No need to convert to lowercase as MIMETypeRegistry does the lookup case-insensitively. Will fix before landing.
Daniel Bates
Comment 5 2017-05-04 11:25:47 PDT
Committed r216195: <http://trac.webkit.org/changeset/216195>
Note You need to log in before you can comment on or make changes to this bug.