From 3968897fb4b227b1a634700cbeaea715e58ac543 Mon Sep 17 00:00:00 2001 From: janekptacijarabaci Date: Tue, 3 Apr 2018 19:50:55 +0200 Subject: Bug 1431095 - Change Content-Type-Options: nosniff allowed script MIME types to match the spec --- dom/base/nsContentUtils.cpp | 20 ++++++-------------- dom/base/nsContentUtils.h | 7 +------ netwerk/protocol/http/nsHttpChannel.cpp | 2 +- testing/web-platform/tests/fetch/nosniff/script.html | 4 ++-- 4 files changed, 10 insertions(+), 23 deletions(-) diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp index 02c6bf1de..ef87a250e 100644 --- a/dom/base/nsContentUtils.cpp +++ b/dom/base/nsContentUtils.cpp @@ -3717,11 +3717,15 @@ nsContentUtils::IsChildOfSameType(nsIDocument* aDoc) } bool -nsContentUtils::IsScriptType(const nsACString& aContentType) +nsContentUtils::IsPlainTextType(const nsACString& aContentType) { // NOTE: if you add a type here, add it to the CONTENTDLF_CATEGORIES // define in nsContentDLF.h as well. - return aContentType.EqualsLiteral(APPLICATION_JAVASCRIPT) || + return aContentType.EqualsLiteral(TEXT_PLAIN) || + aContentType.EqualsLiteral(TEXT_CSS) || + aContentType.EqualsLiteral(TEXT_CACHE_MANIFEST) || + aContentType.EqualsLiteral(TEXT_VTT) || + aContentType.EqualsLiteral(APPLICATION_JAVASCRIPT) || aContentType.EqualsLiteral(APPLICATION_XJAVASCRIPT) || aContentType.EqualsLiteral(TEXT_ECMASCRIPT) || aContentType.EqualsLiteral(APPLICATION_ECMASCRIPT) || @@ -3730,18 +3734,6 @@ nsContentUtils::IsScriptType(const nsACString& aContentType) aContentType.EqualsLiteral(TEXT_JSON); } -bool -nsContentUtils::IsPlainTextType(const nsACString& aContentType) -{ - // NOTE: if you add a type here, add it to the CONTENTDLF_CATEGORIES - // define in nsContentDLF.h as well. - return aContentType.EqualsLiteral(TEXT_PLAIN) || - aContentType.EqualsLiteral(TEXT_CSS) || - aContentType.EqualsLiteral(TEXT_CACHE_MANIFEST) || - aContentType.EqualsLiteral(TEXT_VTT) || - IsScriptType(aContentType); -} - bool nsContentUtils::GetWrapperSafeScriptFilename(nsIDocument* aDocument, nsIURI* aURI, diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h index 0a293d73e..0932f451e 100644 --- a/dom/base/nsContentUtils.h +++ b/dom/base/nsContentUtils.h @@ -1018,12 +1018,7 @@ public: static bool IsChildOfSameType(nsIDocument* aDoc); /** - '* Returns true if the content-type is any of the supported script types. - */ - static bool IsScriptType(const nsACString& aContentType); - - /** - '* Returns true if the content-type will be rendered as plain-text. + * Returns true if the content-type will be rendered as plain-text. */ static bool IsPlainTextType(const nsACString& aContentType); diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index ce0f45dab..94b0d9bf9 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -1152,7 +1152,7 @@ ProcessXCTO(nsIURI* aURI, nsHttpResponseHead* aResponseHead, nsILoadInfo* aLoadI } if (aLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_SCRIPT) { - if (nsContentUtils::IsScriptType(contentType)) { + if (nsContentUtils::IsJavascriptMIMEType(NS_ConvertUTF8toUTF16(contentType))) { return NS_OK; } ReportTypeBlocking(aURI, aLoadInfo, "MimeTypeMismatch"); diff --git a/testing/web-platform/tests/fetch/nosniff/script.html b/testing/web-platform/tests/fetch/nosniff/script.html index 667f3c99a..c5c5167f5 100644 --- a/testing/web-platform/tests/fetch/nosniff/script.html +++ b/testing/web-platform/tests/fetch/nosniff/script.html @@ -4,8 +4,8 @@