-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should JSON MIME Types include all */*+json
?
#112
Comments
Your pros and cons mainly consider status in implementations, but what would the engineering benefit be, so to speak? |
I am not an expert in this area so I don't have an opinion; I was just trying to follow existing spec conventions. Maybe @Ms2ger @dandclark @BoCupp-Microsoft would know more. Will JSON modules be the first time that the JSON MIME type is actually checked in running an HTML page? |
It might be yes, |
Is anyone familiar with the reasoning behind that decision? That could help inform our thinking here. In particular I wonder if it was just a simplification or if there was some security concern. I'm no expert in this area either, but it seems like engineering benefit of allowing |
IIUC: I'm not sure whether similar argument applies to JSON modules. The benefit to allow The benefit to narrow the range would be improving security. WICG/webcomponents#839 will make JSON modules NOT to SOLELY rely on MIME types, but will we still need MIME type checks as a part of security guard? I don't have specific concerning cases for now and thus I filed this issue whether someone has specific thoughts aboud security. |
Navigation (https://html.spec.whatwg.org/C/#process-a-navigate-response, see #112 (comment)) also checks JSON MIME type, but I'm not sure about its importance. |
Ah, that's what you meant. So yes, requiring a JSON MIME type is important, just like it's important to require a JavaScript MIME type in new contexts (especially if they can parse differently), but it doesn't have to be a specific one, as far as I can tell. Navigation is observable if you navigate an |
It is a security concern. There have been attacks in the past (e.g. this paper (C)) based on non-JS files being treated as JS files and "executed". In general, allowing web sites to treat the contents of URLs as a different type than their declared content-type is an attack vector that gets exploited fairly regularly. |
I'm thinking that in this case the benefit of allowing potential JSON-like types like |
So, the concensus here can be:
Does this sounds good? If so, Chromium will allow |
Created #113 that feeds the discussion here back to the spec. |
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <domenic@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Dan Clark <daniec@microsoft.com> Cr-Commit-Position: refs/heads/master@{#875274}
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <domenic@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Dan Clark <daniec@microsoft.com> Cr-Commit-Position: refs/heads/master@{#875274}
…grity, and MIME type parameters, a=testonly Automatic update from web-platform-tests Add JSON modules tests for charset, integrity, and MIME type parameters Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <domenic@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Dan Clark <daniec@microsoft.com> Cr-Commit-Position: refs/heads/master@{#875274} -- wpt-commits: cda427384ac75751fe809c6006ca5167e0c8f7ad wpt-pr: 28606
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <domenic@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Dan Clark <daniec@microsoft.com> Cr-Commit-Position: refs/heads/master@{#875274} GitOrigin-RevId: 5d7b584b349398b5d42204b977fc0fca102aebe2
https://mimesniff.spec.whatwg.org/#json-mime-type defines JSON MIME Types as:
application/json
text/json
*/*+json
But I'm wondering whether it's better to limit the third case to
application/*+json
or something, or not, mainly in the context of JSON modules.pros:
*/*+json
MIME types as JSON. JSON MIME types are used in https://html.spec.whatwg.org/C/#process-a-navigate-response, and thus navigations to responses with JSON MIME types should be like navigating to text page (e.g.text/plain
page), but according to draft WPT ([TEST] Test MIME Types + navigation web-platform-tests/wpt#20169):application/*+json
text/*+json
*/*+json
cons:
*/*+xml
in RFC7303, and the rationale behind it: https://tools.ietf.org/html/rfc7303#appendix-A.*/*+xml
MIME Types don't seem considered as XMLs by the current browsers, according to the draft WPT above though.WDYT?
The text was updated successfully, but these errors were encountered: