Firefox ran into problems supporting nosniff for images (Chrome doesn't support it there). @ckerschb is going to figure out if we can enable it at some future point: https://bugzilla.mozilla.org/show_bug.cgi?id=1302539. If that doesn't work out, we'll have to change the specification.
@ckerschb what do you think, is it worth it to try and enable this at some point or should we just give up on having nosniff for that?
@mikewest thoughts?
The specification also has it for fonts, media, and media track resources. I'm guessing we want to give up on those too and only handle style and script resources?
@zcorpan are media track resources still safe (like images are)?
Yes. At least if only WebVTT is supported. TTML2 supports external resources apparently though I have pointed out that that is a problem.
Okay, I hope no user agents plans on implementing that.
Given that I'd be okay with restricting nosniff to just style and script forever.
In an ideal world, supporting nosniff everywhere makes sense. Realistically, script and style are the important ones, and it's not clear to me that it's worth prioritizing work on things like nosniff support for images.
Perhaps Mozilla folks who supported the change could give a bit of detail about the relative priority? If I'm wrong, then we can make time.
Created a PR to apply it to "script" and "style" only.
Also created a WPT PR.
(Seems Chrome still fails several nosniff tests around workers and such.)
The Gecko bugs that get resolved through this change are: https://bugzilla.mozilla.org/show_bug.cgi?id=1289055, https://bugzilla.mozilla.org/show_bug.cgi?id=1289056, and https://bugzilla.mozilla.org/show_bug.cgi?id=1289057. Haven't closed them myself since @ckerschb might have to do some cleanup.
Realistically, script and style are the important ones, and it's not clear to me that it's worth prioritizing work on things like nosniff support for images.
:scream: You realize you introduced a security risk here?
Actually also "HTML" can be a malicious mime type, as it can obviously embed JS. (Maybe also other types such as SVG?)
See https://www.youtube.com/watch?v=dBJt3eR8-bg for a talk by @hannob on that subject. Please do watch the whole talk, it's good! :smile:
Most helpful comment
:scream: You realize you introduced a security risk here?
Actually also "HTML" can be a malicious mime type, as it can obviously embed JS. (Maybe also other types such as SVG?)
See https://www.youtube.com/watch?v=dBJt3eR8-bg for a talk by @hannob on that subject. Please do watch the whole talk, it's good! :smile: