Should JSON MIME Types include all */*+json?
#112
Comments
|
Your pros and cons mainly consider status in implementations, but what would the engineering benefit be, so to speak? |
|
I am not an expert in this area so I don't have an opinion; I was just trying to follow existing spec conventions. Maybe @Ms2ger @dandclark @BoCupp-Microsoft would know more. Will JSON modules be the first time that the JSON MIME type is actually checked in running an HTML page? |
|
It might be yes, |
Is anyone familiar with the reasoning behind that decision? That could help inform our thinking here. In particular I wonder if it was just a simplification or if there was some security concern. I'm no expert in this area either, but it seems like engineering benefit of allowing |
IIUC: I'm not sure whether similar argument applies to JSON modules. The benefit to allow The benefit to narrow the range would be improving security. WICG/webcomponents#839 will make JSON modules NOT to SOLELY rely on MIME types, but will we still need MIME type checks as a part of security guard? I don't have specific concerning cases for now and thus I filed this issue whether someone has specific thoughts aboud security. |
Navigation (https://html.spec.whatwg.org/C/#process-a-navigate-response, see #112 (comment)) also checks JSON MIME type, but I'm not sure about its importance. |
|
Ah, that's what you meant. So yes, requiring a JSON MIME type is important, just like it's important to require a JavaScript MIME type in new contexts (especially if they can parse differently), but it doesn't have to be a specific one, as far as I can tell. Navigation is observable if you navigate an |
It is a security concern. There have been attacks in the past (e.g. this paper (C)) based on non-JS files being treated as JS files and "executed". In general, allowing web sites to treat the contents of URLs as a different type than their declared content-type is an attack vector that gets exploited fairly regularly. |
|
I'm thinking that in this case the benefit of allowing potential JSON-like types like |
|
So, the concensus here can be:
Does this sounds good? If so, Chromium will allow |
|
Created #113 that feeds the discussion here back to the spec. |
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <[email protected]> Reviewed-by: Kouhei Ueno <[email protected]> Commit-Queue: Dan Clark <[email protected]> Cr-Commit-Position: refs/heads/master@{#875274}
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <[email protected]> Reviewed-by: Kouhei Ueno <[email protected]> Commit-Queue: Dan Clark <[email protected]> Cr-Commit-Position: refs/heads/master@{#875274}
…grity, and MIME type parameters, a=testonly Automatic update from web-platform-tests Add JSON modules tests for charset, integrity, and MIME type parameters Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <[email protected]> Reviewed-by: Kouhei Ueno <[email protected]> Commit-Queue: Dan Clark <[email protected]> Cr-Commit-Position: refs/heads/master@{#875274} -- wpt-commits: cda427384ac75751fe809c6006ca5167e0c8f7ad wpt-pr: 28606
Add JSON modules tests for the following: - The <script> element's integrity attribute is respected. - JSON modules are always decoded as UTF-8 regardless of Content-Type or the document's encoding. The existing coverage we had on this in utf8.tenative.html was renamed to charset.html, refactored, and expanded. - Adding parameters to the MIME type doesn't prevent it from being evaluated as a JSON MIME type. Note, some of the existing MIME type tests for */*+json still fail because it seems the spec issue on these at whatwg/mimesniff#112 hasn't been fully resolved. I'll follow up with that separately. Bug: 1132413 Change-Id: I682de01bbb14b53214fcc16f427a4875f8cfed7f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2841103 Reviewed-by: Domenic Denicola <[email protected]> Reviewed-by: Kouhei Ueno <[email protected]> Commit-Queue: Dan Clark <[email protected]> Cr-Commit-Position: refs/heads/master@{#875274} GitOrigin-RevId: 5d7b584b349398b5d42204b977fc0fca102aebe2
and others
https://mimesniff.spec.whatwg.org/#json-mime-type defines JSON MIME Types as:
application/jsontext/json*/*+jsonBut I'm wondering whether it's better to limit the third case to
application/*+jsonor something, or not, mainly in the context of JSON modules.pros:
*/*+jsonMIME types as JSON. JSON MIME types are used in https://html.spec.whatwg.org/C/#process-a-navigate-response, and thus navigations to responses with JSON MIME types should be like navigating to text page (e.g.text/plainpage), but according to draft WPT ([TEST] Test MIME Types + navigation web-platform-tests/wpt#20169):application/*+jsontext/*+json*/*+jsoncons:
*/*+xmlin RFC7303, and the rationale behind it: https://tools.ietf.org/html/rfc7303#appendix-A.*/*+xmlMIME Types don't seem considered as XMLs by the current browsers, according to the draft WPT above though.WDYT?
The text was updated successfully, but these errors were encountered: