orb icon indicating copy to clipboard operation
orb copied to clipboard
verified publisher icon annevk

Incentives against using `text/javascript` almost everywhere

Open anforowicz opened this issue 5 years ago • 1 comments

ORB imposes a performance penalty on incorrectly labelled Javascript responses (e.g. on Javascript served as text/html), because body of such mislabeled responses needs to be fully loaded and confirmation-parsed before being used in content/renderer processes . Web developers can avoid this performance penalty by correctly labeling their Javascript responses with a JavaScript MIME type). ORB implementations can help push web developers in this directions by communicating the "slow" responses as they occur (e.g. reporting to the Javascript console).

One quirky way to avoid the slowness would be to label almost everything at text/javascript (e.g. web developers could configure their HTTP servers to default to text/javascript instead of text/html). This is undesirable, because it prevents ORB from protecting (now mislabeled) HTML responses. AFAIK most responses can be mislabeled (except CSS, fonts, text tracks? I think that images/audio/video/html would still work via sniffing even when mislabeled as javascript).

Question/issue: What incentives we can introduce against using text/javascript almost everywhere?

One idea would be to disallow certain MIME types from being used in responses that sniff as an image or audio/video. Currently we have:

Step 6: If the image type pattern matching algorithm given bytes does not return undefined, then
        return true.

We could change that to something like:

Step 6: If the image type pattern matching algorithm given bytes does not return undefined, then
Step 6.1: If MIME type is JavaScript MIME type return false.
Step 6.2. Otherwise return true

? (We can't have an allowlist for images, because they are sometimes served with weird MIME types like application/octet-stream, but maybe a blocklist is doable.)

(I am not sure if this will be a big/real problem in practice / not sure how much the extra complexity proposed above is worth it... maybe it is okay to just start with the simple algorithm for now...)

/cc @csreis

anforowicz avatar Jan 28 '21 18:01 anforowicz

When I navigate to

...
Content-Type: text/javascript

<!doctype html>
<b>test</b>

it renders as

<!doctype html>
<b>test</b>

in all browsers for me.

If we changed step 6 as you suggest we would have to sniff for images before returning true for a JavaScript MIME type as well.

I'm not sure immediate changes are needed, but it does seem good to keep these kind of potential ecosystem effects in mind though so keeping this open for now seems reasonable.

annevk avatar Jan 29 '21 11:01 annevk