@@ -1844,6 +1849,17 @@ Unless stated otherwise, it is false.This flag is for exclusive use by HTML's render-blocking mechanism. [[!HTML]] +
A request has an associated +no-cors media request state ... + +
This is for exclusive use by the opaque-response-safelist check. + +
A request has an associated +no-cors JavaScript fallback encoding (an encoding). Unless +stated otherwise, it is UTF-8. + +
This is for exclusive use by the opaque-response-safelist check. +
A request has an associated @@ -2876,6 +2892,198 @@ run these steps: +
Opaque-response blocking
+ +++ + +Opaque-response blocking, also known as ORB, is a network filter that blocks access + to opaque filtered responses. These responses would likely would not have been useful to the + fetching party. Blocking them reduces information leakage to potential attackers. + +
Essentially, CSS, JavaScript, images, and media (audio and video) can be requested across + origins without the CORS protocol. And unfortunately except for CSS there is no MIME type + enforcement. This algorithm aims to block as many responses as possible that are not one of these + types (or are newer variants of those types) to avoid leaking their contents through side channels. + +
The network filter combines pro-active blocking based on response headers, sniffing a limited + set of bytes, and ultimately falls back to a full parse due to unfortunate (lack of) design + decisions in the early days of the web platform. As a result there are still quite a few responses + whose secrets can end up being revealed to attackers. Web developers are strongly encouraged to use + the `
Cross-Origin-Resource-Policy` response header to defend them. +The opaque-response-safelist check
+ +The opaque-response-safelist check, given a request request +and a response response, is to run these steps: + +
+
+ + +Let mimeType be the result of extracting a MIME type from + response's header list. + +
Let nosniff be the result of determining nosniff given + response's header list. + +
- +
If mimeType is not failure, then: + +
+
+ +If mimeType is an opaque-response-safelisted MIME type, then return + true. + +
If mimeType is an opaque-response-blocklisted-never-sniffed MIME type, + then return false. + +
If response's status is 206 and mimeType is an + opaque-response-blocklisted MIME type, then return false. + +
If nosniff is true and mimeType is an + opaque-response-blocklisted MIME type or its essence is + "
text/plain", then return false. +If request's no-cors media request state is + "
subsequent", then return true. + +If response's status is 206 and + validate a partial response given 0 and response returns invalid, then return + false. + + +
Wait for 1024 bytes of response's body or end-of-file, + whichever comes first and let bytes be those bytes. + + +
- +
If the audio or video type pattern matching algorithm given bytes does not + return undefined, then: + +
+
+ +If requests's no-cors media request state is not + "
initial", then return false. + +If response's status is not 200 or 206, then return false. + +
Return true. +
If requests's no-cors media request state is not + "
N/A", then return false. + +If the image type pattern matching algorithm given bytes does not return + undefined, then return true. + +
- +
If nosniff is true, then return false. + +
This check is made late as unfortunately images and media are always sniffed. + +
If response's status is not an ok status, then return + false. + +
- +
If mimeType is failure, then return true. + +
This could be improved at somewhat significant cost. See + annevk/orb #28. + +
If mimeType's essence starts with + "
audio/", "image/", or "video/", then return false. + +Let responseBodyBytes be null. + +
- +
Let processBody given a byte sequence bytes be these steps: + +
+
+ +Set responseBodyBytes to bytes. + +
Set response's body to the body + of the result of safely extracting bytes. +
Let processBodyError be this step: set responseBodyBytes to failure. + +
Fully read response's body given processBody + and processBodyError. + +
Wait for responseBodyBytes to be non-null. + +
If responseBodyBytes is failure, then return false. + +
Assert: responseBodyBytes is a byte sequence. + +
If parse JSON bytes to a JavaScript value given responseBodyBytes does not + throw, then return false. If it throws, catch the exception and ignore it. + +
Let sourceText be the result of decoding + responseBodyBytes given request's + no-cors JavaScript fallback encoding. + +
If ParseText(sourceText, Script) returns a Script Record, + then return true. + + +
Return false. +
New MIME type sets
+ +The definitions in this section are solely for the purpose of abstracting parts of the +opaque-response-safelist check. They are not suited for usage elsewhere. + +
An opaque-response-safelisted MIME type is a JavaScript MIME type or a +MIME type whose essence is "
text/css" or +"image/svg+xml". + +An opaque-response-blocklisted MIME type is an HTML MIME type, +JSON MIME type, or XML MIME type. + +
An opaque-response-blocklisted-never-sniffed MIME type is a MIME type +whose essence is one of: + +
application/gzip"
+ application/msexcel"
+ application/mspowerpoint"
+ application/msword"
+ application/msword-template"
+ application/pdf"
+ application/vnd.ces-quickpoint"
+ application/vnd.ces-quicksheet"
+ application/vnd.ces-quickword"
+ application/vnd.ms-excel"
+ application/vnd.ms-excel.sheet.macroenabled.12"
+ application/vnd.ms-powerpoint"
+ application/vnd.ms-powerpoint.presentation.macroenabled.12"
+ application/vnd.ms-word"
+ application/vnd.ms-word.document.12"
+ application/vnd.ms-word.document.macroenabled.12"
+ application/vnd.msword"
+ application/vnd.openxmlformats-officedocument.presentationml.presentation"
+ application/vnd.openxmlformats-officedocument.presentationml.template"
+ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
+ application/vnd.openxmlformats-officedocument.spreadsheetml.template"
+ application/vnd.openxmlformats-officedocument.wordprocessingml.document"
+ application/vnd.openxmlformats-officedocument.wordprocessingml.template"
+ application/vnd.presentation-openxml"
+ application/vnd.presentation-openxmlm"
+ application/vnd.spreadsheet-openxml"
+ application/vnd.wordprocessing-openxml"
+ application/x-gzip"
+ application/x-protobuf"
+ application/x-protobuffer"
+ application/zip"
+ multipart/byteranges"
+ multipart/signed"
+ text/event-stream"
+ text/csv"
+Set request's response tainting to "opaque".
-
Return the result of running scheme fetch given fetchParams. +
Let opaqueResponse be the result of running scheme fetch given + fetchParams. + +
If the opaque-response-safelist check given request and + opaqueResponse returns true, then return opaqueResponse. + +
Return a network error.