-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should we still sniff if Content-Type is text/html? #173
Comments
cc @annevk |
As far as I can tell from https://chromium.googlesource.com/chromium/src/net/+/refs/heads/main/base/mime_sniffer.cc Chromium does not appear to sniff @MattMenke2 I see you touched that Chromium code quite a bit, any thoughts? @valenting @mozfreddyb do either of you know what Gecko does for |
I don't claim to be an expert on what MIME sniffing should actually do, but yes, my reading is also that Chrome does not sniff responses with a text/html content-type. I also agree that Chrome's sniffing of files with those XML MIME types looks to violate spec, and would certainly love to see more standardization here (especially in the direction of less sniffing). Note that I'm no longer on Chrome's networking team. I'm still on Chrome, and still happy to talk about these things, just not a good decision person or driver of changes around, e.g., not sniffing files with XML types. |
As far as I can tell we we don't create an nsUnknownDecoder if it's already present on the response. |
There's also a sniff happening here, if |
cc @otherdaniel, who's looking into sniffing (or not) insofar as it impacts ORB. |
As no user agent today appears to identify a text/html resource starting with <rss as XML, remove those rules from the standard. At the same time, make it more clear that XML (and now HTML) are never sniffed. This is a non-normative change for clarity. Tests: TBD. Closes #173.
@otherdaniel @valenting @farre @sefeng211 @MattMenke2 anyone willing to review #192? |
As no user agent today appears to identify a text/html resource starting with <rss as XML, remove those rules from the standard. At the same time, make it more clear that XML (and now HTML) are never sniffed. This part is a non-normative change for clarity. Tests: web-platform-tests/wpt#47002. Closes #173.
I recently investigated a web-platform-test failure (html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative.html) in WebKit/CFNetwork and found out that it was caused by sniffing when the Content-Type is text/html:
X-Content-Type-Options: nosniff
header to download_stash.py web-platform-tests/wpt#41037This test is passing in Chrome and Firefox so I am wondering. Does the specification (https://mimesniff.spec.whatwg.org/#determining-the-computed-mime-type-of-a-resource) really match Chrome and Firefox here?
Should CFNetwork stop sniffing when the Content-Type is text/html?
The text was updated successfully, but these errors were encountered: