Showing content from https://github.com/whatwg/html/issues/3255 below:
Nosniffing for Worker Scripts · Issue #3255 · whatwg/html · GitHub
8.1.3.2 Fetching scripts says:
- Under "To fetch a single module script", step 8: "If any of the following conditions are met [...] The result of extracting a MIME type from response's header list (ignoring parameters) is not a JavaScript MIME type."
- There are no equivalent rules for classic or worker scripts.
Chrome would like to be more strict about the non-module scripts, too. On Chrome's beta channel, we see:
- ca. 0.01% of page loads contain worker scripts (workers or scripts loaded from workers) that would fail this check if it were applied.
- ca. 6% of classic, non-worker page loads contain scripts that would fail this check if applied
- of these, the vast majority ( ~3/4 ) are text/html
- ~1/4 text/plain
- ~1/10 application/octet-stream
- the rest is noise, <0.01%
These numbers would probably support blocking non-script MIME types for the "fetch a classic worker script" and "fetch a classic worker-imported script" cases, too, but not (yet) for all script types.
Would this make sense?
@mikewest
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3