Count execution of JSON and unknown MIME types.

In the hopes of getting more clarity around the impact of tightening MIME restrictions on script execution, this CL adds measurement for `text/json`, `application/json`, and a bucket for everything else. Bug: 794548 Change-Id: I26b49ba761864a6a291902dc775fde67c548a071 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2567161Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#833182}

Count execution of JSON and unknown MIME types.
In the hopes of getting more clarity around the impact of tightening MIME restrictions on script execution, this CL adds measurement for `text/json`, `application/json`, and a bucket for everything else. Bug: 794548 Change-Id: I26b49ba761864a6a291902dc775fde67c548a071 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2567161Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#833182}
d5ca02b5 · Mike West · Chromium LUCI CQ · 8a86199b · d5ca02b5 · d5ca02b5
Commit d5ca02b5 authored Dec 03, 2020 by Mike West Committed by Chromium LUCI CQ Dec 03, 2020
4 changed files
--- a/third_party/blink/public/mojom/web_feature/web_feature.mojom
+++ b/third_party/blink/public/mojom/web_feature/web_feature.mojom
@@ -3062,6 +3062,10 @@ enum WebFeature {
  kChangeTypeUsingConfig = 3734,
  kV8SourceBuffer_AppendEncodedChunks_Method = 3735,
  kOversrollBehaviorOnViewportBreaks = 3736,
+  kSameOriginJsonTypeForScript = 3737,
+  kCrossOriginJsonTypeForScript = 3738,
+  kSameOriginStrictNosniffWouldBlock = 3739,
+  kCrossOriginStrictNosniffWouldBlock = 3740,

  // Add new features immediately above this line. Don't change assigned
  // numbers of any item, and don't reuse removed slots.

--- a/third_party/blink/renderer/platform/loader/allowed_by_nosniff.cc
+++ b/third_party/blink/renderer/platform/loader/allowed_by_nosniff.cc
@@ -56,6 +56,16 @@ const WebFeature kTextXmlFeatures[2] = {
    WebFeature::kSameOriginTextXml,
 };

+const WebFeature kJsonFeatures[2] = {
+    WebFeature::kCrossOriginJsonTypeForScript,
+    WebFeature::kSameOriginJsonTypeForScript,
+};
+
+const WebFeature kUnknownFeatures[2] = {
+    WebFeature::kCrossOriginStrictNosniffWouldBlock,
+    WebFeature::kSameOriginStrictNosniffWouldBlock,
+};
+
 // Helper function to decide what to do with with a given mime type. This takes
 // - a mime type
 // - inputs that affect the decision (is_same_origin, mime_type_check_mode).
@@ -121,6 +131,11 @@ bool AllowMimeTypeAsScript(const String& mime_type,
    counter = kTextPlainFeatures[same_origin];
  } else if (mime_type.StartsWithIgnoringCase("text/xml")) {
    counter = kTextXmlFeatures[same_origin];
+  } else if (mime_type.StartsWithIgnoringCase("text/json") ||
+             mime_type.StartsWithIgnoringCase("application/json")) {
+    counter = kJsonFeatures[same_origin];
+  } else {
+    counter = kUnknownFeatures[same_origin];
  }

  return true;

--- a/third_party/blink/renderer/platform/loader/allowed_by_nosniff_test.cc
+++ b/third_party/blink/renderer/platform/loader/allowed_by_nosniff_test.cc
@@ -152,6 +152,16 @@ TEST_F(AllowedByNosniffTest, Counters) {
      {bla, blubb, "text/plain", kOpaque, WebFeature::kCrossOriginTextPlain},
      {bla, bla, "text/plain", kBasic, WebFeature::kSameOriginTextScript},
      {bla, bla, "text/plain", kBasic, WebFeature::kSameOriginTextPlain},
+      {bla, bla, "text/json", kBasic, WebFeature::kSameOriginTextScript},
+
+      // JSON
+      {bla, bla, "text/json", kBasic, WebFeature::kSameOriginJsonTypeForScript},
+      {bla, bla, "application/json", kBasic,
+       WebFeature::kSameOriginJsonTypeForScript},
+      {bla, blubb, "text/json", kOpaque,
+       WebFeature::kCrossOriginJsonTypeForScript},
+      {bla, blubb, "application/json", kOpaque,
+       WebFeature::kCrossOriginJsonTypeForScript},

      // Test mime type and subtype handling.
      {bla, bla, "text/xml", kBasic, WebFeature::kSameOriginTextScript},
@@ -166,6 +176,12 @@ TEST_F(AllowedByNosniffTest, Counters) {
      {blubb, blubb, "application/xml", kCors,
       WebFeature::kCrossOriginApplicationXml},
      {bla, bla, "text/html", kBasic, WebFeature::kSameOriginTextHtml},
+
+      // Unknown
+      {bla, bla, "not/script", kBasic,
+       WebFeature::kSameOriginStrictNosniffWouldBlock},
+      {bla, blubb, "not/script", kOpaque,
+       WebFeature::kCrossOriginStrictNosniffWouldBlock},
  };

  for (auto& testcase : data) {

--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -30418,6 +30418,10 @@ Called by update_use_counter_feature_enum.py.-->
  <int value="3734" label="ChangeTypeUsingConfig"/>
  <int value="3735" label="V8SourceBuffer_AppendEncodedChunks_Method"/>
  <int value="3736" label="OversrollBehaviorOnViewportBreaks"/>
+  <int value="3737" label="SameOriginJsonTypeForScript"/>
+  <int value="3738" label="CrossOriginJsonTypeForScript"/>
+  <int value="3739" label="SameOriginStrictNosniffWouldBlock"/>
+  <int value="3740" label="CrossOriginStrictNosniffWouldBlock"/>
 </enum>

 <enum name="FeaturePolicyAllowlistType">