Add X-Content-Type-Options: nosniff header to download_stash.py
#41037
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Note that https://mimesniff.spec.whatwg.org/#determining-the-computed-mime-type-of-a-resource says to sniff when the content-type is text/html so I am a bit surprised the tests using this script are passing in Chrome and Firefox. |
cdumez
force-pushed
the
download_stash_add_nosniff_header
branch
from
7121803 to
aa21682
Compare
annevk
approved these changes
Jul 14, 2023
annevk
reviewed
Jul 14, 2023
Comment on lines
8
to
9
| // Make sure to disable sniffing because it would read enough bytes to finish | ||
| // the load, before even giving the client application a chance to cancel it. |
There was a problem hiding this comment.
Suggested change
| // Make sure to disable sniffing because it would read enough bytes to finish | |
| // the load, before even giving the client application a chance to cancel it. | |
| # Make sure to disable sniffing because it would read enough bytes to finish | |
| # the load, before even giving the client application a chance to cancel it. |
The page serves the "text/html" Content-Type, which triggers sniffing in CFNetwork. As a result, CFNetwork will read up to 512 bytes before telling the client about the network response. In the context of this test, up to 512 bytes means CFNetwork finishes the whole load before even notifying the client of the response and thus allowing the client to cancel. This means that CFNetwork clients like WebKit on Apple platforms finish the load and that the token gets set, even if the client rejected the download and tried to cancel the load. Add the `X-Content-Type-Options: nosniff` to disable sniffing, to make sure that the network response doesn't get delayed and so that clients have a chance to cancel the load before it completes.
cdumez
force-pushed
the
download_stash_add_nosniff_header
branch
from
aa21682 to
cf0df3b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The page serves the "text/html" Content-Type, which triggers sniffing in CFNetwork. As a result, CFNetwork will read 512 bytes before telling the client about the network response.
In the context of this test, 512 bytes means CFNetwork finishes the whole load before even notifying the client of the response and thus allowing the client to cancel. This means that CFNetwork clients like WebKit on Apple platforms finish the load and that the token gets set, even if the client rejected the download and tried to cancel the load.
Add the
X-Content-Type-Options: nosniffto disable sniffing, to make sure that the network response doesn't get delayed and so that clients have a chance to cancel the load before it completes.