From 4308b47e147274f6702a0c1add77488fbc75a309 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Tue, 28 May 2019 11:35:47 -0700 Subject: [PATCH] CORB should block event-stream, gzip and x-www-form-urlencoded. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in https://github.com/whatwg/fetch/issues/860#issuecomment-457330454 and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis Commit-Queue: Ɓukasz Anforowicz Cr-Commit-Position: refs/heads/master@{#663824} --- .../script-resource-with-nonsniffable-types.tentative.sub.html | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html b/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html index 62fd9ca389da9f..e599bf26f9445e 100644 --- a/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html +++ b/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html @@ -53,9 +53,12 @@ // Some mime types should be protected by CORB without any kind // of confirmation sniffing. protected_mime_types = [ + "application/gzip", "application/x-gzip", "application/x-protobuf", + "application/x-www-form-urlencoded", "application/zip", + "text/event-stream", // TODO(lukasza): https://crbug.com/944162: Add application/pdf and // text/csv to the list of content types tested here (after // kMimeHandlerViewInCrossProcessFrame gets enabled by default).