This repository is being upstreamed to the Fetch Standard through PR #1442. As indicated there you can preview a version of the Fetch Standard with the new text integrated.
The PR is primarily blocked on resolving the mvp issues. Help appreciated!
The PR is in a more advanced state than the text below and should be the starting point for implementers and reviewers.
To block as many opaque responses as possible while remaining web compatible.
CSS, JavaScript, images, and media (audio and video) can be requested across origins without CORS. Except for CSS there is no MIME type enforcement. Ideally we still block as many responses as possible that are not one of these types to avoid leaking their contents through side channels.
An opaque-safelisted MIME type is a JavaScript MIME type or a MIME type whose essence is "text/css
" or "image/svg+xml
".
An opaque-blocklisted MIME type is an HTML MIME type, JSON MIME type, or XML MIME type.
An opaque-blocklisted-never-sniffed MIME type is a MIME type whose essence is one of
application/dash+xml
"application/gzip
"application/msexcel
"application/mspowerpoint
"application/msword
"application/msword-template
"application/pdf
"application/vnd.apple.mpegurl
"application/vnd.ces-quickpoint
"application/vnd.ces-quicksheet
"application/vnd.ces-quickword
"application/vnd.ms-excel
"application/vnd.ms-excel.sheet.macroenabled.12
"application/vnd.ms-powerpoint
"application/vnd.ms-powerpoint.presentation.macroenabled.12
"application/vnd.ms-word
"application/vnd.ms-word.document.12
"application/vnd.ms-word.document.macroenabled.12
"application/vnd.msword
"application/vnd.openxmlformats-officedocument.presentationml.presentation
"application/vnd.openxmlformats-officedocument.presentationml.template
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
"application/vnd.openxmlformats-officedocument.spreadsheetml.template
"application/vnd.openxmlformats-officedocument.wordprocessingml.document
"application/vnd.openxmlformats-officedocument.wordprocessingml.template
"application/vnd.presentation-openxml
"application/vnd.presentation-openxmlm
"application/vnd.spreadsheet-openxml
"application/vnd.wordprocessing-openxml
"application/x-gzip
"application/x-protobuf
"application/x-protobuffer
"application/zip
"audio/mpegurl
"multipart/byteranges
"multipart/signed
"text/event-stream
"text/csv
"text/vtt
"A request has an associated no-cors media request state ("N/A", "initial", or "subsequent"). It is "N/A" unless explicitly stated otherwise.
We adjust the way media element fetching is done to more clearly separate between the initial and any subsequent range fetches:
(These changes are not needed when CORS is used, but it might make sense to align these somewhat, to the extent they are not already.)
To determine whether to allow response response to a request request, run these steps:
text/plain
", then return false.audio/
", "image/
", or "video/
", then return false.Note: responses for which the above algorithm returns true and contain secrets are strongly encouraged to be protected using Cross-Origin-Resource-Policy
.
Setting request's no-cors media request state to "subsequent" ideally happens in a process that is not easily compromised, because such a spoofed value can be used to bypass ORB. In particular, "subsequent" is only to be allowed and used if a trustworthy process can verify that the media element (or its node document, or its node document's origin) has previously received a response with the same URL that has sniffed as audio or video.
X-Content-Type-Options
mostly kicks in after image/media sniffing, but it was not web compatible for Firefox to enforce it for images back in the day.Many thanks to Jake Archibald, Lukasz Anforowicz, Nathan Froyd, and those involved in Chromium's CORB project.