whatwg/fetch

Add example(s) for X-Content-Type-Options

Open

#636 opened on Nov 22, 2017

View on GitHub
 (13 comments) (0 reactions) (0 assignees)HTML (2,051 stars) (394 forks)batch import
good first issue

Description

[See https://github.com/whatwg/fetch/issues/636#issuecomment-346558085 about adding examples. Below is the old purpose of this issue.]

https://fetch.spec.whatwg.org/commit-snapshots/860ab8669fb3775b77b6f81e44e5a2609db0bc93/#should-response-to-request-be-blocked-due-to-nosniff?

3.3.1. Should response to request be blocked due to nosniff? Run these steps:​ 1. If response’s header list does not contain `X-Content-Type-Options`, then return allowed. 2. Let nosniff be the result of extracting header values from the first header whose name is a byte-case-insensitive match for `X-Content-Type-Options` in response’s header list. 3. If nosniff is failure, then return allowed. 4. Let mimeType be the result of extracting a MIME type from response’s header list. 5. Let destination be request’s destination. 6. If destination is script-like and mimeType (ignoring parameters) is not a JavaScript MIME type, then return blocked. 7. If destination is "style" and mimeType (ignoring parameters) is not `text/css`, then return blocked. 8. Return allowed.

Many websites will use a blanket "nosniff" option because it's being pushed as a recommended security measure. However, many sites also do not supply a content-type header with every document/response returned. As a result, any script or style that would not have a supplied content-type in the header would, according to this spec, be blocked. Blocking should only occur on a mis-match of MIME type in the intention of this spec as I understood, and not when the MIME type is missing altogether. Since you can't compare between two values when one of them is missing, it should be allowed.

I suggest adding an additional step between 4 and 6: If mimeType is empty, then return allowed.

Contributor guide

Tech stack
htmlrest api
Domain
security
Issue type
documentation
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic understanding of HTTP headersFamiliarity with the Fetch Standard
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
50
Research direction
Review the discussion in the linked comment (https://github.com/whatwg/fetch/issues/636#issuecomment 346558085) about adding examples. The issue suggests adding an additional step in the algorithm to handle missing MIME types. Focus on providing clear examples that illustrate the nosniff behavior for script like and style destinations. Ensure examples cover cases where MIME type is missing.
Add example(s) for X-Content-Type-Options · whatwg/fetch#636 | Good First Issue