Bug 1916351 - Only allow JSON mime type for javascript modules r=evilpie,necko-reviewers,devtools-reviewers,jesup,nchevobbe

Differential Revision: https://phabricator.services.mozilla.com/D220917
2024-09-05 09:59:12 +00:00
parent 9143c206db
commit 32c95bd458
6 changed files with 62 additions and 9 deletions
--- a/devtools/client/webconsole/test/browser/_webconsole.toml
+++ b/devtools/client/webconsole/test/browser/_webconsole.toml
@@ -140,6 +140,9 @@ support-files = [
  "test-network-exceptions.html",
  "test-network-request.html",
  "test-network.html",
  "test-json-mime.html",
  "test-json-mime.json",
  "test-json-mime.json^headers^",
  "test-non-javascript-mime.html",
  "test-non-javascript-mime.js",
  "test-non-javascript-mime.js^headers^",
@@ -564,6 +567,8 @@ fail-if = ["a11y_checks"] # Bug 1849028 clicked element may not be focusable and
 ["browser_webconsole_non_javascript_mime_warning.js"]
 ["browser_webconsole_json_mime_warning.js"]
 ["browser_webconsole_non_javascript_mime_worker_error.js"]
 ["browser_webconsole_non_standard_doctype_errors.js"]
--- a/devtools/client/webconsole/test/browser/browser_webconsole_json_mime_warning.js
+++ b/devtools/client/webconsole/test/browser/browser_webconsole_json_mime_warning.js
@@ -0,0 +1,20 @@
 /* Any copyright is dedicated to the Public Domain.
 * http://creativecommons.org/publicdomain/zero/1.0/ */
 // Tests that <script> loads with JSON MIME types produce a warning.
 // See Bug 1916351.
 "use strict";
 const TEST_URI =
  "https://example.com/browser/devtools/client/webconsole/" +
  "test/browser/" +
  "test-json-mime.html";
 const MIME_WARNING_MSG =
  "The script from “https://example.com/browser/devtools/client/webconsole/test/browser/test-json-mime.json” was loaded even though its MIME type (“application/json”) is not a valid JavaScript MIME type.";
 add_task(async function () {
  const hud = await openNewTabAndConsole(TEST_URI);
  await waitFor(() => findWarningMessage(hud, MIME_WARNING_MSG), "", 100);
  ok(true, "JSON MIME type warning displayed");
 });
--- a/devtools/client/webconsole/test/browser/test-json-mime.html
+++ b/devtools/client/webconsole/test/browser/test-json-mime.html
@@ -0,0 +1,13 @@
 <!DOCTYPE html>
 <html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Web Console test for script with JSON MIME type</title>
 <!-- Any copyright is dedicated to the Public Domain.
     http://creativecommons.org/publicdomain/zero/1.0/ -->
    <script src="test-json-mime.json"></script>
  </head>
  <body>
    <p>Web Console test for script with JSON MIME type.</p>
  </body>
 </html>
--- a/devtools/client/webconsole/test/browser/test-json-mime.json
+++ b/devtools/client/webconsole/test/browser/test-json-mime.json
@@ -0,0 +1 @@
 { "test": 123 }
--- a/devtools/client/webconsole/test/browser/test-json-mime.json^headers^
+++ b/devtools/client/webconsole/test/browser/test-json-mime.json^headers^
@@ -0,0 +1 @@
 Content-Type: application/json
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -2945,9 +2945,14 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
    return NS_OK;
  }
-  if (nsContentUtils::IsJsonMimeType(typeString)) {
+  nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
  bool isModule =
      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD;
  if (isModule && nsContentUtils::IsJsonMimeType(typeString)) {
    AccumulateCategorical(
-        Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::text_json);
+        Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::javaScript);
    return NS_OK;
  }
@@ -3087,7 +3092,6 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
  }
  // We restrict importScripts() in worker code to JavaScript MIME types.
  nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
  if (internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS ||
      internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER_STATIC_MODULE) {
    ReportMimeTypeMismatch(aChannel, "BlockImportScriptsWithWrongMimeType",
@@ -3108,8 +3112,7 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
  }
  // ES6 modules require a strict MIME type check.
-  if (internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
+  if (isModule) {
      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD) {
    ReportMimeTypeMismatch(aChannel, "BlockModuleWithWrongMimeType", aURI,
                           contentType, Report::Error);
    return NS_ERROR_CORRUPTED_CONTENT;
@@ -3145,11 +3148,21 @@ void WarnWrongMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
  nsAutoCString contentType;
  aResponseHead->ContentType(contentType);
  NS_ConvertUTF8toUTF16 typeString(contentType);
-  if (!nsContentUtils::IsJavascriptMIMEType(typeString) &&
+
-      !nsContentUtils::IsJsonMimeType(typeString)) {
+  if (nsContentUtils::IsJavascriptMIMEType(typeString)) {
-    ReportMimeTypeMismatch(aChannel, "WarnScriptWithWrongMimeType", aURI,
+    return;
                           contentType, Report::Warning);
  }
  nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
  bool isModule =
      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD;
  if (isModule && nsContentUtils::IsJsonMimeType(typeString)) {
    return;
  }
  ReportMimeTypeMismatch(aChannel, "WarnScriptWithWrongMimeType", aURI,
                         contentType, Report::Warning);
 }
 nsresult HttpBaseChannel::ValidateMIMEType() {