CORB: Allow text/plain 206 responses.

Bug: 801709 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ie059475b03953372cf9fcc9ddafd875ebc849e34 Reviewed-on: https://chromium-review.googlesource.com/973942 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Nick Carter <nick@chromium.org> Cr-Commit-Position: refs/heads/master@{#544959}

CORB: Allow text/plain 206 responses.
Bug: 801709 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ie059475b03953372cf9fcc9ddafd875ebc849e34 Reviewed-on: https://chromium-review.googlesource.com/973942 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Nick Carter <nick@chromium.org> Cr-Commit-Position: refs/heads/master@{#544959}
c4434880 · Lukasz Anforowicz · Commit Bot · 12098b47 · c4434880 · c4434880
Commit c4434880 authored Mar 22, 2018 by Lukasz Anforowicz Committed by Commit Bot Mar 22, 2018
3 changed files
--- a/content/browser/loader/cross_site_document_resource_handler.cc
+++ b/content/browser/loader/cross_site_document_resource_handler.cc
@@ -845,11 +845,6 @@ bool CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders(
  bool has_nosniff_header =
      base::LowerCaseEqualsASCII(nosniff_header, "nosniff");
-  // If this is an HTTP range request, sniffing isn't possible.
-  std::string range_header;
-  response->head.headers->GetNormalizedHeader("content-range", &range_header);
-  bool has_range_header = !range_header.empty();
  // CORB should look directly at the Content-Type header if one has been
  // received from the network.  Ignoring |response->head.mime_type| helps avoid
  // breaking legitimate websites (which might happen more often when blocking
@@ -868,15 +863,29 @@ bool CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders(
  // If this is a partial response, sniffing is not possible, so allow the
  // response if it's not a protected mime type.
-  if (has_range_header && canonical_mime_type_ == MimeType::kOthers) {
+  std::string range_header;
-    return false;
+  response->head.headers->GetNormalizedHeader("content-range", &range_header);
+  if (!range_header.empty()) {
+    needs_sniffing_ = false;
+    switch (canonical_mime_type_) {
+      case MimeType::kOthers:
+      case MimeType::kPlain:  // See also https://crbug.com/801709
+        return false;
+      case MimeType::kHtml:
+      case MimeType::kJson:
+      case MimeType::kXml:
+        return true;
+      case MimeType::kMax:
+        NOTREACHED();
+        return true;
+    }
  }
  // We need to sniff unprotected mime types (e.g. for parser breakers), and
  // unless the nosniff header is set, we also need to sniff protected mime
  // types to verify that they're not mislabeled.
-  needs_sniffing_ = (canonical_mime_type_ == MimeType::kOthers) ||
+  needs_sniffing_ =
-                    !(has_range_header || has_nosniff_header);
+      (canonical_mime_type_ == MimeType::kOthers) || !has_nosniff_header;
  // Stylesheets shouldn't be sniffed for JSON parser breakers - see
  // https://crbug.com/809259.

--- a/content/browser/loader/cross_site_document_resource_handler_unittest.cc
+++ b/content/browser/loader/cross_site_document_resource_handler_unittest.cc
--- a/services/network/cross_origin_read_blocking_explainer.md
+++ b/services/network/cross_origin_read_blocking_explainer.md
@@ -275,25 +275,29 @@ CORB decides whether a response needs protection (i.e. if a response is a JSON,
 HTML or XML resource) based on the following:
 * If the response contains `X-Content-Type-Options: nosniff` response header,
-  or if the response is a 206 response, then the response will be CORB-protected
+  then the response will be CORB-protected
  if its `Content-Type` header is one of the following:
  * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
  * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
    (except `image/svg+xml` which is CORB-exempt as described above)
-  * JSON MIME type - one of `text/json`, `text/json+*`, `text/x-json`,
+  * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
-    `text/x-json+*`, `application/json`, `application/json+*` or `*+json`
  * `text/plain`
-> [lukasza@chromium.org] Maybe `text/plain` should be allowed if sniffing is not
+* If the response is a 206 response,
-> possible - this would avoid the potentially troublesome and not-yet-understood
+  then the response will be CORB-protected
-> blocking reported in some media contexts.
+  if its `Content-Type` header is one of the following:
+  * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
+  * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
+    (except `image/svg+xml` which is CORB-exempt as described above)
+  * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
 * Otherwise, CORB attempts to sniff the response body:
  * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
    that sniffs as HTML is CORB-protected
  * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
    (except `image/svg+xml`) that sniffs as XML is CORB-protected
-  * JSON MIME type that sniffs as JSON is CORB-protected
+  * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
+    that sniffs as JSON is CORB-protected
  * `text/plain` that sniffs as JSON, HTML or XML is CORB-protected
  * Any response (except `text/css`) that begins with
    [a JSON security prefix](https://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet#Protect_against_JSON_Hijacking_for_Older_Browsers)
@@ -399,12 +403,6 @@ HTML's `<canvas>`, etc.
 Audio and video resources should see similar impact as images, though 206
 responses are more likely to occur for media.
-> [lukasza@chromium.org] Decide what to do with 206s:
-> - html + nosniff = block
-> - html + 206 = block
-> - text/plain + nosniff = block?
-> - text/plain + 206 = allow?
 ### Observable CORB impact on scripts
 CORB should have no observable impact on `<script>` tags except for cases where
@@ -736,8 +734,7 @@ spec.
      * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
      * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
        (except `image/svg+xml` which is CORB-exempt, per rules above)
-      * JSON MIME type - one of `text/json`, `text/json+*`, `text/x-json`,
+      * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
-        `text/x-json+*`, `application/json`, `application/json+*` or `*+json`
      * `text/plain`
 * Sniffing to confirm the Content-Type of the response
@@ -755,6 +752,6 @@ spec.
      then CORB SHOULD allow the response
      if it doesn't
      [sniff as XML](https://mimesniff.spec.whatwg.org/#rules-for-identifying-an-unknown-mime-type).
-    * If Content-Type is "JSON MIME type" (see above),
+    * If Content-Type is [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type),
      then CORB SHOULD allow the response
      if it doesn't sniff as JSON.  TODO: define "sniff as JSON".