/fetch

New issue

nosniff and images #395

Closed
annevk opened this Issue Oct 3, 2016 · 8 comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@annevk @zcorpan @mikewest
@annevk
Member
annevk commented Oct 3, 2016

Firefox ran into problems supporting nosniff for images (Chrome doesn't support it there). @ckerschb is going to figure out if we can enable it at some future point: https://bugzilla.mozilla.org/show_bug.cgi?id=1302539. If that doesn't work out, we'll have to change the specification.
@annevk
Member
annevk commented Nov 23, 2016

@ckerschb what do you think, is it worth it to try and enable this at some point or should we just give up on having nosniff for that?

@mikewest thoughts?

The specification also has it for fonts, media, and media track resources. I'm guessing we want to give up on those too and only handle style and script resources?

@zcorpan are media track resources still safe (like images are)?
@zcorpan
Member
zcorpan commented Nov 23, 2016

Yes. At least if only WebVTT is supported. TTML2 supports external resources apparently though I have pointed out that that is a problem.
@annevk
Member
annevk commented Nov 23, 2016

Okay, I hope no user agents plans on implementing that.

Given that I'd be okay with restricting nosniff to just style and script forever.
@mikewest
Member
mikewest commented Nov 23, 2016

In an ideal world, supporting nosniff everywhere makes sense. Realistically, script and style are the important ones, and it's not clear to me that it's worth prioritizing work on things like nosniff support for images.

Perhaps Mozilla folks who supported the change could give a bit of detail about the relative priority? If I'm wrong, then we can make time.
@annevk annevk added a commit that referenced this issue Dec 16, 2016
@annevk annevk Only use nosniff for "script" and "style" 
For “image” it was not web-compatible and checking the others doesn’t
seem worth it given there are no known issues with sniffing there.

Closes #395.
 66f0f02
@annevk annevk referenced this issue Dec 16, 2016
Merged

Only use nosniff for "script" and "style" #438

@annevk
Member
annevk commented Dec 16, 2016

Created a PR to apply it to "script" and "style" only.
@annevk annevk added a commit to w3c/web-platform-tests that referenced this issue Dec 16, 2016
@annevk annevk Images are always sniffed 
See whatwg/fetch#395 for details.
 8edebdc
@annevk annevk referenced this issue in w3c/web-platform-tests Dec 16, 2016
Merged

Images are always sniffed #4356

@annevk
Member
annevk commented Dec 16, 2016

Also created a WPT PR.
@annevk
Member
annevk commented Dec 16, 2016

(Seems Chrome still fails several nosniff tests around workers and such.)
@annevk annevk added a commit to w3c/web-platform-tests that referenced this issue Dec 19, 2016
@annevk annevk Images are always sniffed 
See whatwg/fetch#395 for details.
 e1e2bfb
@annevk annevk closed this in #438 Dec 19, 2016
@annevk annevk added a commit that referenced this issue Dec 19, 2016
@annevk annevk Only use nosniff for "script" and "style" 
For “image” it was not web-compatible and checking the others doesn’t
seem worth it given there are no known issues with sniffing there.

Tests: w3c/web-platform-tests#4356.

Closes #395.
 169de91
@annevk
Member
annevk commented Dec 19, 2016

The Gecko bugs that get resolved through this change are: https://bugzilla.mozilla.org/show_bug.cgi?id=1289055, https://bugzilla.mozilla.org/show_bug.cgi?id=1289056, and https://bugzilla.mozilla.org/show_bug.cgi?id=1289057. Haven't closed them myself since @ckerschb might have to do some cleanup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment