Anne van Kesteren
Anne van Kesteren
@anforowicz I don't think that approach really helps with this problem as the image fetching pipeline ignores MIME types (except for `image/svg+xml`). This is much more about what sniffing allows...
In order of preference: * CORS, while this has opposition it is the correct solution. And for other formats this is what we require, e.g., module scripts. Some new image...
Yeah it would network error (due to ORB). cc @domenic
@saschanaz it's probably too late at this point to include AVIF. https://github.com/AOMediaCodec/av1-avif/issues/149 tracks that.
It's not clear to me why the transition for media formats is harder than for JS (note that JS modules require CORS as well as a MIME type). Also, having...
Right, it seems beneficial for the future security of the web to absorb that transition cost.
@anforowicz @otherdaniel thoughts on using this header to bypass the algorithm altogether?
I think `Access-Control-Allow-Origin: *` is best excluded because: 1. It indeed has no defined semantics for "no-cors". 2. And more importantly, even when mode is "cors", it only works when...
Looking at this again and in particular https://html.spec.whatwg.org/#fetch-a-classic-script I think the simplest option here is that we pass the encoding along with the request and then we need to abstract...
One risk here is that the attacker has control over the encoding, so this technically gives them more opportunity to find a way to get something parsed as JavaScript. In...