Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit X-Content-Type-Options usage to scripts and stylesheets #767

Open
alrra opened this issue Jan 22, 2018 · 8 comments
Open

Limit X-Content-Type-Options usage to scripts and stylesheets #767

alrra opened this issue Jan 22, 2018 · 8 comments
Labels
question

Comments

@alrra
Copy link
Contributor

alrra commented Jan 22, 2018

Ref whatwg/fetch#395
@molant
Copy link
Member

molant commented Jan 22, 2018

If I understand correctly the issue you point, nosniff is only for scripts and styles. So you are proposing to update the x-content-type-options rule to only validate nosniff in those cases?

@alrra
Copy link
Contributor Author

alrra commented Jan 22, 2018
edited
Loading

So you are proposing to update the x-content-type-options rule to only validate nosniff in those cases?

Yes something like that. Will need to look into things to better understand what needs to be updated.

@alrra alrra mentioned this issue Jan 23, 2018
Closed
4 tasks
@alrra alrra changed the title Look into X-Content-Type-Options: nosniff for images Limit X-Content-Type-Options usage to scripts and stylesheets Jan 23, 2018
@alrra alrra closed this as completed in 6a2f29b Jan 23, 2018
@Nikerabbit
Copy link

It seems there is a misunderstanding here, I'm just not sure whether it is mine or yours.

Per my understanding the issue is the opposite. If you are serving a script file with content type text/javascript then adding X-Content-Type-Options: nosniff does nothing, because you already let the browser know that it can execute it as a script (it would only be relevant if one tried to load a script as a stylesheet or vice versa).

So, again per my understanding, this header must be present on files that are not scripts or stylesheets. Like https://sonarwhal.com/docs/user-guide/rules/x-content-type-options/ says, the goal is to prevent a user uploading (as an example) a PNG file that contains JavaScript and then instructing other users' browsers to load that file as a script file and execute it (even though it is served as image/png).

@alrra
Copy link
Contributor Author

alrra commented Jan 30, 2018

. If you are serving a script file with content type text/javascript then adding X-Content-Type-Options: nosniff does nothing

Yes, we can make the rule smarter in that sense and not require the header if <script src=..> file is sent with a JavaScript media type and/or <link rel="stylesheet"..> file is sent with text/css. However, my concern is that people that don't integrate sonarwhal as part of their testing will just test once see that everything is fine, and maybe at a later moment get bitten by this.

this header must be present on files that are not scripts or stylesheets.

Yes, we need to update a bit the documentation and provide better server configs. However regarding the server configs I don't think there is a way to target only files that are specified inside <scripts> or <link rel="stylesheet"> so maybe go back and suggest sending the header for everything?

@alrra alrra reopened this Jan 30, 2018
alrra added a commit that referenced this issue Jan 30, 2018
@alrra
Chore: Remove inaccurate server configs
dfbceca 
Temporary remove the server configs examples for the
`x-content-type-options` rule until we better figure
out things.

- - - - - - - - - - - - - - - - - - - - - - - - - - -

Ref #767
@alrra alrra added the question label Feb 1, 2018
smockle added a commit to smockle/smockle.com that referenced this issue Mar 11, 2018
@smockle
Sonarwhal incorrectly checks for 'X-Content-Type-Options' header; dis…
804a8c4 
…able rule

webhintio/hint#767
@molant
Copy link
Member

molant commented Apr 16, 2018

We might have to look into CORB

@alrra
Copy link
Contributor Author

alrra commented Apr 26, 2018

We might have to look into CORB

https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md

@alrra alrra mentioned this issue Aug 8, 2018
Closed
@molant molant mentioned this issue Sep 10, 2018
Closed
@Malvoz Malvoz mentioned this issue Jan 8, 2019
Open
@Malvoz
Copy link
Member

Malvoz commented Oct 13, 2019
edited
Loading

In conjunction to nosniffing CSS and JS (per "Should response to request be blocked due to nosniff?"), the section "Determining whether a response is CORB-protected" in the Google CORB explainer says:

If the response contains X-Content-Type-Options: nosniff response header, then the response will be CORB-protected if its Content-Type header is one of the following:

  • HTML MIME type
  • XML MIME type (except image/svg+xml which is CORB-exempt as described above)
  • JSON MIME type
  • text/plain

Should probably track the progress of adding more CORB-protected MIME-Types in whatwg/fetch#860 (comment) and whatwg/fetch#721 (in any case where the concluded MIME-Type to protect would also require the X-Content-Type-Options header).

@molant molant mentioned this issue Dec 2, 2019
Open
@lei499894122

This comment was marked as off-topic.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@molant @Nikerabbit @alrra @Malvoz @lei499894122