From 8f4e22e819a3af15c94cb7f9ad6ec60587e9827e Mon Sep 17 00:00:00 2001 From: janekptacijarabaci Date: Tue, 3 Apr 2018 19:50:55 +0200 Subject: [PATCH] Bug 1431095 - Change Content-Type-Options: nosniff allowed script MIME types to match the spec --- dom/base/nsContentUtils.cpp | 22 ++++++------------- dom/base/nsContentUtils.h | 7 +----- netwerk/protocol/http/nsHttpChannel.cpp | 2 +- .../tests/fetch/nosniff/script.html | 4 ++-- 4 files changed, 11 insertions(+), 24 deletions(-) diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp index 02c6bf1deb..ef87a250ec 100644 --- a/dom/base/nsContentUtils.cpp +++ b/dom/base/nsContentUtils.cpp @@ -3716,20 +3716,6 @@ nsContentUtils::IsChildOfSameType(nsIDocument* aDoc) return sameTypeParent != nullptr; } -bool -nsContentUtils::IsScriptType(const nsACString& aContentType) -{ - // NOTE: if you add a type here, add it to the CONTENTDLF_CATEGORIES - // define in nsContentDLF.h as well. - return aContentType.EqualsLiteral(APPLICATION_JAVASCRIPT) || - aContentType.EqualsLiteral(APPLICATION_XJAVASCRIPT) || - aContentType.EqualsLiteral(TEXT_ECMASCRIPT) || - aContentType.EqualsLiteral(APPLICATION_ECMASCRIPT) || - aContentType.EqualsLiteral(TEXT_JAVASCRIPT) || - aContentType.EqualsLiteral(APPLICATION_JSON) || - aContentType.EqualsLiteral(TEXT_JSON); -} - bool nsContentUtils::IsPlainTextType(const nsACString& aContentType) { @@ -3739,7 +3725,13 @@ nsContentUtils::IsPlainTextType(const nsACString& aContentType) aContentType.EqualsLiteral(TEXT_CSS) || aContentType.EqualsLiteral(TEXT_CACHE_MANIFEST) || aContentType.EqualsLiteral(TEXT_VTT) || - IsScriptType(aContentType); + aContentType.EqualsLiteral(APPLICATION_JAVASCRIPT) || + aContentType.EqualsLiteral(APPLICATION_XJAVASCRIPT) || + aContentType.EqualsLiteral(TEXT_ECMASCRIPT) || + aContentType.EqualsLiteral(APPLICATION_ECMASCRIPT) || + aContentType.EqualsLiteral(TEXT_JAVASCRIPT) || + aContentType.EqualsLiteral(APPLICATION_JSON) || + aContentType.EqualsLiteral(TEXT_JSON); } bool diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h index 0a293d73ea..0932f451e5 100644 --- a/dom/base/nsContentUtils.h +++ b/dom/base/nsContentUtils.h @@ -1018,12 +1018,7 @@ public: static bool IsChildOfSameType(nsIDocument* aDoc); /** - '* Returns true if the content-type is any of the supported script types. - */ - static bool IsScriptType(const nsACString& aContentType); - - /** - '* Returns true if the content-type will be rendered as plain-text. + * Returns true if the content-type will be rendered as plain-text. */ static bool IsPlainTextType(const nsACString& aContentType); diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index ce0f45dabe..94b0d9bf93 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -1152,7 +1152,7 @@ ProcessXCTO(nsIURI* aURI, nsHttpResponseHead* aResponseHead, nsILoadInfo* aLoadI } if (aLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_SCRIPT) { - if (nsContentUtils::IsScriptType(contentType)) { + if (nsContentUtils::IsJavascriptMIMEType(NS_ConvertUTF8toUTF16(contentType))) { return NS_OK; } ReportTypeBlocking(aURI, aLoadInfo, "MimeTypeMismatch"); diff --git a/testing/web-platform/tests/fetch/nosniff/script.html b/testing/web-platform/tests/fetch/nosniff/script.html index 667f3c99a6..c5c5167f57 100644 --- a/testing/web-platform/tests/fetch/nosniff/script.html +++ b/testing/web-platform/tests/fetch/nosniff/script.html @@ -4,8 +4,8 @@