Bug 1916351 - Only allow JSON mime type for javascript modules r=evilpie,necko-reviewers,devtools-reviewers,jesup,nchevobbe

Differential Revision: https://phabricator.services.mozilla.com/D220917
2024-09-05 09:59:12 +00:00
parent 9143c206db
commit 32c95bd458
6 changed files with 62 additions and 9 deletions
--- a/devtools/client/webconsole/test/browser/_webconsole.toml
+++ b/devtools/client/webconsole/test/browser/_webconsole.toml
@@ -140,6 +140,9 @@ support-files = [
  "test-network-exceptions.html",
  "test-network-request.html",
  "test-network.html",
+  "test-json-mime.html",
+  "test-json-mime.json",
+  "test-json-mime.json^headers^",
  "test-non-javascript-mime.html",
  "test-non-javascript-mime.js",
  "test-non-javascript-mime.js^headers^",
@@ -564,6 +567,8 @@ fail-if = ["a11y_checks"] # Bug 1849028 clicked element may not be focusable and

 ["browser_webconsole_non_javascript_mime_warning.js"]

+["browser_webconsole_json_mime_warning.js"]
+
 ["browser_webconsole_non_javascript_mime_worker_error.js"]

 ["browser_webconsole_non_standard_doctype_errors.js"]
--- a/devtools/client/webconsole/test/browser/browser_webconsole_json_mime_warning.js
+++ b/devtools/client/webconsole/test/browser/browser_webconsole_json_mime_warning.js
@@ -0,0 +1,20 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// Tests that <script> loads with JSON MIME types produce a warning.
+// See Bug 1916351.
+
+"use strict";
+
+const TEST_URI =
+  "https://example.com/browser/devtools/client/webconsole/" +
+  "test/browser/" +
+  "test-json-mime.html";
+const MIME_WARNING_MSG =
+  "The script from “https://example.com/browser/devtools/client/webconsole/test/browser/test-json-mime.json” was loaded even though its MIME type (“application/json”) is not a valid JavaScript MIME type.";
+
+add_task(async function () {
+  const hud = await openNewTabAndConsole(TEST_URI);
+  await waitFor(() => findWarningMessage(hud, MIME_WARNING_MSG), "", 100);
+  ok(true, "JSON MIME type warning displayed");
+});
--- a/devtools/client/webconsole/test/browser/test-json-mime.html
+++ b/devtools/client/webconsole/test/browser/test-json-mime.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title>Web Console test for script with JSON MIME type</title>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+    <script src="test-json-mime.json"></script>
+  </head>
+  <body>
+    <p>Web Console test for script with JSON MIME type.</p>
+  </body>
+</html>
--- a/devtools/client/webconsole/test/browser/test-json-mime.json
+++ b/devtools/client/webconsole/test/browser/test-json-mime.json
@@ -0,0 +1 @@
+{ "test": 123 }
--- a/devtools/client/webconsole/test/browser/test-json-mime.json^headers^
+++ b/devtools/client/webconsole/test/browser/test-json-mime.json^headers^
@@ -0,0 +1 @@
+Content-Type: application/json
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -2945,9 +2945,14 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
    return NS_OK;
  }

-  if (nsContentUtils::IsJsonMimeType(typeString)) {
+  nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
+  bool isModule =
+      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
+      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD;
+
+  if (isModule && nsContentUtils::IsJsonMimeType(typeString)) {
    AccumulateCategorical(
-        Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::text_json);
+        Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::javaScript);
    return NS_OK;
  }

@@ -3087,7 +3092,6 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
  }

  // We restrict importScripts() in worker code to JavaScript MIME types.
-  nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
  if (internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS ||
      internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER_STATIC_MODULE) {
    ReportMimeTypeMismatch(aChannel, "BlockImportScriptsWithWrongMimeType",
@@ -3108,8 +3112,7 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
  }

  // ES6 modules require a strict MIME type check.
-  if (internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
-      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD) {
+  if (isModule) {
    ReportMimeTypeMismatch(aChannel, "BlockModuleWithWrongMimeType", aURI,
                           contentType, Report::Error);
    return NS_ERROR_CORRUPTED_CONTENT;
@@ -3145,11 +3148,21 @@ void WarnWrongMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
  nsAutoCString contentType;
  aResponseHead->ContentType(contentType);
  NS_ConvertUTF8toUTF16 typeString(contentType);
-  if (!nsContentUtils::IsJavascriptMIMEType(typeString) &&
-      !nsContentUtils::IsJsonMimeType(typeString)) {
-    ReportMimeTypeMismatch(aChannel, "WarnScriptWithWrongMimeType", aURI,
-                           contentType, Report::Warning);
+
+  if (nsContentUtils::IsJavascriptMIMEType(typeString)) {
+    return;
  }
+
+  nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
+  bool isModule =
+      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
+      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD;
+  if (isModule && nsContentUtils::IsJsonMimeType(typeString)) {
+    return;
+  }
+
+  ReportMimeTypeMismatch(aChannel, "WarnScriptWithWrongMimeType", aURI,
+                         contentType, Report::Warning);
 }

 nsresult HttpBaseChannel::ValidateMIMEType() {