[webkit-reviews] review denied: [Bug 71851] Implement script MIME restrictions for X-Content-Type-Options: nosniff : [Attachment 186822] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 6 10:27:32 PST 2013


Adam Barth <abarth at webkit.org> has denied Mike West <mkwst at chromium.org>'s
request for review:
Bug 71851: Implement script MIME restrictions for X-Content-Type-Options:
nosniff
https://bugs.webkit.org/show_bug.cgi?id=71851

Attachment 186822: Patch
https://bugs.webkit.org/attachment.cgi?id=186822&action=review

------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=186822&action=review


As I mentioned on webkit-dev, we should check that the latest version of IE
still has this behavior.

> Source/WebCore/loader/cache/CachedScript.cpp:134
> +	       // List of types from
http://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx

We already have a list of MIME types that we accept in the "type" attribute of
the script tag.  Should we use that list instead?

> Source/WebCore/loader/cache/CachedScript.cpp:143
> +	       permittedMimeTypes.add("text/vbs");
> +	       permittedMimeTypes.add("text/vbscript");

We don't support vbscript, so presumably we wouldn't want have these on the
list....


More information about the webkit-reviews mailing list