Fetching a worker-imported script should respect the X-Content-Type-Options: nosniff header as such a fetch is ultimately a "main fetch" and according to "main fetch": [[ 17. If response is not a network error and any of the following algorithms returns blocked, then set response and internalResponse to a network error: ... should internalResponse to request be blocked due to no sniff ]] <https://fetch.spec.whatwg.org/#main-fetch> (30 March 2017) This functionality is exercised by the Web Platform Test <https://trac.webkit.org/browser/trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html?rev=200195>.
<rdar://problem/31819023>
Created attachment 308957 [details] Patch
Comment on attachment 308957 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=308957&action=review > Source/WebCore/workers/WorkerScriptLoader.cpp:2 > + * Copyright (C) 2009, 2017 Apple Inc. All Rights Reserved. 2009-2017 > Source/WebCore/workers/WorkerScriptLoader.cpp:119 > + String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)).convertToASCIILowercase(); Do you need to convert to ASCII lowercase here? MIMETypeRegistry does case-insensitive comparisons.
(In reply to Andy Estes from comment #3) > Comment on attachment 308957 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=308957&action=review > > > Source/WebCore/workers/WorkerScriptLoader.cpp:2 > > + * Copyright (C) 2009, 2017 Apple Inc. All Rights Reserved. > > 2009-2017 > Will fix. > > Source/WebCore/workers/WorkerScriptLoader.cpp:119 > > + String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType)).convertToASCIILowercase(); > > Do you need to convert to ASCII lowercase here? MIMETypeRegistry does > case-insensitive comparisons. You're right! No need to convert to lowercase as MIMETypeRegistry does the lookup case-insensitively. Will fix before landing.
Committed r216195: <http://trac.webkit.org/changeset/216195>