New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XCTO affects more than script-like and "style" #1701

Open

JannisBush opened this issue Sep 20, 2023 · 0 comments

JannisBush commented Sep 20, 2023

Only request destinations that are script-like or "style" are considered as any exploits pertain to them. Also, considering "image" was not compatible with deployed content. (https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?)

To me the spec reads as XCTO only is used for script-like and style destinations, however this is not the case.

CORB and ORB use XCTO for images and media
Browsers seem to be using XCTO for iframes and windows as well. Responses with XCTO are either displayed as text/plain or treated as downloads

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment