CORB: Allow text/plain 206 responses.

Bug: 801709
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: Ie059475b03953372cf9fcc9ddafd875ebc849e34
Reviewed-on: https://chromium-review.googlesource.com/973942
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Nick Carter <nick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#544959}

content/browser/loader/cross_site_document_resource_handler.cc

@@ -845,11 +845,6 @@ bool CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders(
   bool has_nosniff_header =
       base::LowerCaseEqualsASCII(nosniff_header, "nosniff");
 
-  // If this is an HTTP range request, sniffing isn't possible.
-  std::string range_header;
-  response->head.headers->GetNormalizedHeader("content-range", &range_header);
-  bool has_range_header = !range_header.empty();
-
   // CORB should look directly at the Content-Type header if one has been
   // received from the network.  Ignoring |response->head.mime_type| helps avoid
   // breaking legitimate websites (which might happen more often when blocking
@@ -868,15 +863,29 @@ bool CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders(
 
   // If this is a partial response, sniffing is not possible, so allow the
   // response if it's not a protected mime type.
-  if (has_range_header && canonical_mime_type_ == MimeType::kOthers) {
-    return false;
+  std::string range_header;
+  response->head.headers->GetNormalizedHeader("content-range", &range_header);
+  if (!range_header.empty()) {
+    needs_sniffing_ = false;
+    switch (canonical_mime_type_) {
+      case MimeType::kOthers:
+      case MimeType::kPlain:  // See also https://crbug.com/801709
+        return false;
+      case MimeType::kHtml:
+      case MimeType::kJson:
+      case MimeType::kXml:
+        return true;
+      case MimeType::kMax:
+        NOTREACHED();
+        return true;
+    }
   }
 
   // We need to sniff unprotected mime types (e.g. for parser breakers), and
   // unless the nosniff header is set, we also need to sniff protected mime
   // types to verify that they're not mislabeled.
-  needs_sniffing_ = (canonical_mime_type_ == MimeType::kOthers) ||
-                    !(has_range_header || has_nosniff_header);
+  needs_sniffing_ =
+      (canonical_mime_type_ == MimeType::kOthers) || !has_nosniff_header;
 
   // Stylesheets shouldn't be sniffed for JSON parser breakers - see
   // https://crbug.com/809259.

services/network/cross_origin_read_blocking_explainer.md

@@ -275,25 +275,29 @@ CORB decides whether a response needs protection (i.e. if a response is a JSON,
 HTML or XML resource) based on the following:
 
 * If the response contains `X-Content-Type-Options: nosniff` response header,
-  or if the response is a 206 response, then the response will be CORB-protected
+  then the response will be CORB-protected
   if its `Content-Type` header is one of the following:
   * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
   * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
     (except `image/svg+xml` which is CORB-exempt as described above)
-  * JSON MIME type - one of `text/json`, `text/json+*`, `text/x-json`,
-    `text/x-json+*`, `application/json`, `application/json+*` or `*+json`
+  * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
   * `text/plain`
 
-> [lukasza@chromium.org] Maybe `text/plain` should be allowed if sniffing is not
-> possible - this would avoid the potentially troublesome and not-yet-understood
-> blocking reported in some media contexts.
+* If the response is a 206 response,
+  then the response will be CORB-protected
+  if its `Content-Type` header is one of the following:
+  * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
+  * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
+    (except `image/svg+xml` which is CORB-exempt as described above)
+  * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
 
 * Otherwise, CORB attempts to sniff the response body:
   * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
     that sniffs as HTML is CORB-protected
   * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
     (except `image/svg+xml`) that sniffs as XML is CORB-protected
-  * JSON MIME type that sniffs as JSON is CORB-protected
+  * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
+    that sniffs as JSON is CORB-protected
   * `text/plain` that sniffs as JSON, HTML or XML is CORB-protected
   * Any response (except `text/css`) that begins with
     [a JSON security prefix](https://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet#Protect_against_JSON_Hijacking_for_Older_Browsers)
@@ -399,12 +403,6 @@ HTML's `<canvas>`, etc.
 Audio and video resources should see similar impact as images, though 206
 responses are more likely to occur for media.
 
-> [lukasza@chromium.org] Decide what to do with 206s:
-> - html + nosniff = block
-> - html + 206 = block
-> - text/plain + nosniff = block?
-> - text/plain + 206 = allow?
-
 ### Observable CORB impact on scripts
 
 CORB should have no observable impact on `<script>` tags except for cases where
@@ -736,8 +734,7 @@ spec.
       * [HTML MIME type](https://mimesniff.spec.whatwg.org/#html-mime-type)
       * [XML MIME type](https://mimesniff.spec.whatwg.org/#xml-mime-type)
         (except `image/svg+xml` which is CORB-exempt, per rules above)
-      * JSON MIME type - one of `text/json`, `text/json+*`, `text/x-json`,
-        `text/x-json+*`, `application/json`, `application/json+*` or `*+json`
+      * [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type)
       * `text/plain`
 
 * Sniffing to confirm the Content-Type of the response
@@ -755,6 +752,6 @@ spec.
       then CORB SHOULD allow the response
       if it doesn't
       [sniff as XML](https://mimesniff.spec.whatwg.org/#rules-for-identifying-an-unknown-mime-type).
-    * If Content-Type is "JSON MIME type" (see above),
+    * If Content-Type is [JSON MIME type](https://mimesniff.spec.whatwg.org/#json-mime-type),
       then CORB SHOULD allow the response
       if it doesn't sniff as JSON.  TODO: define "sniff as JSON".