Re: Intent to Ship - Support XCTO: nosniff for navigations
On 9/5/19 9:20 AM, Sebastian Streich wrote: In Firefox 70 I intend to enable nosniff support for page navigations by default. We're still doing stream converters for navigations even if that header is sent. Is that intended? I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1579176 to track that. If a server's response does not include any mime-type but sets the response header "XCTO: nosniff" then Firefox will prompt the user to download the file Is that definitely known to be true? Based on code inspection it looks like this case will set the type to UNKNOWN_CONTENT_TYPE, then keep trying to do stream conversion things with it 20 times in a row (or whatever the "general.document_open_conversion_depth_limit" pref is set to), and then kick it over to the helper app handler. After that what happens depends on whether the user might have a helper app defined for that type and so forth. If we actually mean to force a download, we should probably be doing so explicitly. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to Ship - Support XCTO: nosniff for navigations
On Thu, Sep 5, 2019 at 6:21 AM Sebastian Streich wrote: > Link to standard: > https://fetch.spec.whatwg.org/#x-content-type-options-header That bit of the standard doesn't describe this behavior--it still only talks about scripts and style. Is there an issue or PR to update the spec to describe this blocking? Is this feature enabled by default in sandboxed iframes? N/A > Will we still try to sniff if you frame the victim resource instead of navigating to it at the top level? Checking the code this does apply to TYPE_SUBDOCUMENT and I don't see any "if sandboxed" checks , so I think your answer here should be "Yes: it applies to sandboxed frames by default". ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to Ship - Support XCTO: nosniff for navigations
Currently the Support for “X-Content-Type-Options: nosniff“ is limited to CSS and JS resources. In Firefox 70 I intend to enable nosniff support for page navigations by default. If a server's response does not include any mime-type but sets the response header "XCTO: nosniff" then Firefox will prompt the user to download the file instead of trying to sniff the mime-type, eliminating the attack vector of so called mime-confusion attacks. Supporting XCTO: nosniff not only for JS and CSS but also for top-level navigations will create parity with other browsers (Chrome, Safari) who are already supporting XCTO: nosniff for navigations. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1428473 Link to standard: https://fetch.spec.whatwg.org/#x-content-type-options-header Platform coverage: This will be exposed to all platforms. Estimated or target release: Firefox 70 Is this feature enabled by default in sandboxed iframes? N/A DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1571415 Do other browser engines implement this? Yes Secure contexts: This feature isn’t restricted to Secure Contexts. Bug implementing and enabling this feature: - https://bugzilla.mozilla.org/show_bug.cgi?id=1469592 - https://bugzilla.mozilla.org/show_bug.cgi?id=1570658 ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform