Block scripts with text/csv, audio/*, video/* and image/* mime types

2025-08-03 04:30:10 +01:00 · 2017-03-24 19:47:56 +01:00 · 2017-03-24 19:47:56 +01:00 · 29a56c4d1a
commit 29a56c4d1a
parent c31ee6e300
4 changed files with 83 additions and 1 deletions
--- a/components/net/fetch/methods.rs
+++ b/components/net/fetch/methods.rs
@ -271,6 +271,8 @@ pub fn main_fetch(request: &mut Request,
        let response_is_network_error = response.is_network_error();
        let should_replace_with_nosniff_error =
            !response_is_network_error && should_be_blocked_due_to_nosniff(request.type_, &response.headers);
+        let should_replace_with_mime_type_error =
+            !response_is_network_error && should_be_blocked_due_to_mime_type(request.type_, &response.headers);

        // Step 15.
        let mut network_error_response = response.get_network_error().cloned().map(Response::network_error);
@ -288,13 +290,16 @@ pub fn main_fetch(request: &mut Request,
        // Step 17.
        // TODO: handle blocking as mixed content.
        // TODO: handle blocking by content security policy.
-        // TODO: handle blocking due to MIME type.
        let blocked_error_response;
        let internal_response =
            if should_replace_with_nosniff_error {
                // Defer rebinding result
                blocked_error_response = Response::network_error(NetworkError::Internal("Blocked by nosniff".into()));
                &blocked_error_response
+            } else if should_replace_with_mime_type_error {
+                // Defer rebinding result
+                blocked_error_response = Response::network_error(NetworkError::Internal("Blocked by mime type".into()));
+                &blocked_error_response
            } else {
                internal_response
            };
@ -625,6 +630,21 @@ pub fn should_be_blocked_due_to_nosniff(request_type: Type, response_headers: &H
    };
 }

+/// https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type?
+fn should_be_blocked_due_to_mime_type(request_type: Type, response_headers: &Headers) -> bool {
+    let mime_type = match response_headers.get::<ContentType>() {
+        Some(header) => header,
+        None => return false,
+    };
+    request_type == Type::Script && match *mime_type {
+        ContentType(Mime(TopLevel::Audio, _, _)) |
+        ContentType(Mime(TopLevel::Video, _, _)) |
+        ContentType(Mime(TopLevel::Image, _, _)) => true,
+        ContentType(Mime(TopLevel::Text, SubLevel::Ext(ref ext), _)) => ext == "csv",
+        _ => false,
+    }
+}
+
 /// https://fetch.spec.whatwg.org/#block-bad-port
 pub fn should_be_blocked_due_to_bad_port(url: &ServoUrl) -> bool {
    // Step 1 is not applicable, this function just takes the URL directly.