| commit | 14bc0a5f5b710feb11504db0432c3719a2216aaa | [log] [tgz] |
|---|---|---|
| author | mkwst <mkwst@chromium.org> | Fri Sep 02 11:15:31 2016 |
| committer | Commit bot <commit-bot@chromium.org> | Fri Sep 02 11:19:15 2016 |
| tree | 0e5fc86ba8c6862c12941139212c8845e7dc1fe7 | |
| parent | 1c12b81fcf9cf40d2155e950e56cf61e0ebb97b0 [diff] |
Stop sniffing 'audio/', 'video/', and 'text/csv' into script. Currently, `<script src="whatever"></script>` will execute the resource at `whatever` as long as it returns a non-`image/*` MIME-type (and doesn't opt-in to additional protection by sending an `X-Content-Type-Options: nosniff` header). This patch tightens that to exclude `text/csv` as well as `audio/*` and `video/*` by default. Spec: https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type? Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/AHsFvhHzh1o/GHj6QCdMAAAJ Discussion: https://github.com/whatwg/fetch/issues/337 BUG=433049 Review-Url: https://codereview.chromium.org/2294283002 Cr-Commit-Position: refs/heads/master@{#416235}