-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORB confirmation sniffing for HTML, XML and JSON security prefix. #88
base: main
Are you sure you want to change the base?
Conversation
Some notes on testing... This pull requests has some limited test coverage via the following Web Platform Tests,:
I note that adding more CORB tests is problematic (especially for the cases where confirmation sniffing succeeds), because CORB should in general be invisible to the web content - see also wpt/fetch/corb/README.md Also... actually I see that I need to add |
Hmmm... actually, it should be possible to add some test coverage for JSON parser breakers - I am trying to do that here: https://crrev.com/c/1295185. |
@@ -139,7 +139,7 @@ production. By definition it is a superset of the <a>HTTP token code points</a>. | |||
|
|||
<p> | |||
A <dfn>whitespace byte</dfn> (abbreviated | |||
<abbr lt="whitespace byte">0xWS</abbr>) is any one of the following | |||
<abbr lt="whitespace byte">1xWS</abbr>) is any one of the following |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this change intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was accidental I think.
At any rate, CORB will most likely be replaced with ORB (https://github.com/annevk/orb) and this will mean that this CL can be abandoned.
Hello @annevk, @csreis, @GPHemsley,
This is my attempt to start documenting CORB confirmation sniffing algorithm (as tracked by #87 and in whatwg/fetch#681 (comment)).
I hope that this pull request is close to being acceptable, but I do note that:
and so it is likely that I made some newbie miskates. I am open to any feedback.
cover JSON sniffing (as implemented in Chromium in CrossOriginReadBlocking::SniffForJSON).
I hope that this omission is okay. I am worried that sniffing for JSON can end up more complicated
than the other kinds of sniffing, because 1) the current implementation requires a small state machine
and 2) the current implementation is imperfect (e.g. doesn't recognize JSON lists).
Please take a look?
-Lukasz
PS. I forgot to add my name to the contributors list. Let me fix this in a moment.
Preview | Diff