-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORB++: CSS #964
Comments
Huh, is that spec'd? https://html.spec.whatwg.org/multipage/links.html#link-type-stylesheet:process-the-linked-resource suggests the content type must be |
|
Hah. So what's the actual behaviour here then? Is it: Cross origin styleheets are blocked if the |
In Gecko, the behavior is "Blocked if there is a content-type header result of parsing the content-type header produces a nonempty string". I suspect based on code inspection, but have not tested, that something like:
would get treated as "empty string" in Gecko, for example. And not sure about this one:
If we want to know the actual behavior across browsers, we'll need to write some testcases and maybe do some code-sleuthing. |
Interesting! Given the error resilience of CSS, sniffing it sounds hard. Could CSS resources be sanitised out-of-process? As in, ditch everything that doesn't roughly-parse before it enters the process? |
It's not immediately clear how that would help as we don't necessarily know where a response will end up getting used due to service workers. All we have is a response and we need to determine whether to allow it through. I suppose instead of the final step of https://github.com/annevk/orb we could return the resource after it has been parsed as CSS rather than blocking it (and modify some of the other steps to not require a MIME type). Hmm... |
Closing this in favor of annevk/orb#28. |
#721 (comment) has a sketch for the CORB++ idea. Basically, all opaque responses apart from a couple "safelisted responses" are blocked by the networking layer and turned into network errors.
In https://bugzilla.mozilla.org/show_bug.cgi?id=1531405 Mozilla looked at
Content-Type
headers for opaque responses that might end up being used as style sheets. For Firefox 71 beta, the breakdown is as follows (similar breakdown for other releases so I suspect this is representative enough):text/css
: 99.48%The main problem I see here is "No header". The platform treats this as
text/css
and 0.17% seems too high to block. (Note that "Other" is already blocked. Empty/Failed are not blocked currently I think, but could be.) This means that we either have to sniff CSS in addition to JavaScript or give up completely on resources without aContent-Type
header. That is, in order to protect against Spectre and memory exploits you need aContent-Type
header set on any resource you put online (and ideally you also haveX-Content-Type-Options
set or CORP obviously as otherwise it still gets sniffed and might end up exposed if it parses as JavaScript).@bzbarsky @valenting @jakearchibald @anforowicz @youennf thoughts?
The text was updated successfully, but these errors were encountered: