CORB shouldn't block application/dash+xml videos.

Bug: 947498 Change-Id: I4925f5209e507f8e39ea324de3a9c6f48e1747f0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1546671Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#647089}

CORB shouldn't block application/dash+xml videos.
Bug: 947498 Change-Id: I4925f5209e507f8e39ea324de3a9c6f48e1747f0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1546671Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#647089}
2dae0c6d · Lukasz Anforowicz · Commit Bot · 96edee91 · 2dae0c6d · 2dae0c6d
Commit 2dae0c6d authored Apr 03, 2019 by Lukasz Anforowicz Committed by Commit Bot Apr 03, 2019
3 changed files
--- a/services/network/cross_origin_read_blocking.cc
+++ b/services/network/cross_origin_read_blocking.cc
@@ -43,6 +43,7 @@ const char kTextXml[] = "text/xml";
 const char kAppXml[] = "application/xml";
 const char kAppJson[] = "application/json";
 const char kImageSvg[] = "image/svg+xml";
+const char kDashVideo[] = "application/dash+xml";  // https://crbug.com/947498
 const char kTextJson[] = "text/json";
 const char kTextPlain[] = "text/plain";
 // TODO(lukasza): Remove kJsonProtobuf once this MIME type is not used in
@@ -219,10 +220,11 @@ void RecordCorbResultVsInitiatorLockCompatibility(

 MimeType CrossOriginReadBlocking::GetCanonicalMimeType(
    base::StringPiece mime_type) {
-  // Checking for image/svg+xml early ensures that it won't get classified as
-  // MimeType::kXml by the presence of the "+xml"
+  // Checking for image/svg+xml and application/dash+xml early ensures that they
+  // won't get classified as MimeType::kXml by the presence of the "+xml"
  // suffix.
-  if (base::LowerCaseEqualsASCII(mime_type, kImageSvg))
+  if (base::LowerCaseEqualsASCII(mime_type, kImageSvg) ||
+      base::LowerCaseEqualsASCII(mime_type, kDashVideo))
    return MimeType::kOthers;

  // See also https://mimesniff.spec.whatwg.org/#html-mime-type

--- a/services/network/cross_origin_read_blocking_unittest.cc
+++ b/services/network/cross_origin_read_blocking_unittest.cc
@@ -251,8 +251,9 @@ TEST(CrossOriginReadBlockingTest, GetCanonicalMimeType) {

      // Images are allowed cross-site, and SVG is an image, so we should
      // classify SVG as "other" instead of "xml" (even though it technically is
-      // an xml document).
+      // an xml document).  Same argument for DASH video format.
      {"image/svg+xml", MimeType::kOthers},
+      {"application/dash+xml", MimeType::kOthers},

      // Javascript should not be blocked.
      {"application/javascript", MimeType::kOthers},

--- a/third_party/blink/web_tests/external/wpt/fetch/corb/img-mime-types-coverage.tentative.sub.html
+++ b/third_party/blink/web_tests/external/wpt/fetch/corb/img-mime-types-coverage.tentative.sub.html
@@ -19,6 +19,7 @@
      // MIME-types not protected by CORB
      "image/gif", "image/png", "image/png;blah", "image/svg+xml",
      "application/javascript", "application/jsonp",
+      "application/dash+xml", // video format
      "image/gif;HI=THERE",

      // MIME types that may seem to be JSON or XML, but really aren't - i.e.