Remove Content Type Sniffing for Worker Scripts

Worker scripts will be rejected unless they're delivered with a javascript MIME type (https://mimesniff.spec.whatwg.org/#javascript-mime-type).

Motivation

Web browsers will execute JavaScript, use CSS, etc., even if the Content-Type: header indicates a non-matching MIME type. For example, including a text/html resource via a <script src=.... > tag would succeed. This has been a security concern for quite a while, and there's a long-standing desire to eliminate or at least reduce this. Tightening MIME type restrictions makes it less likely that a server's resources are inadvertently executed as script, and allows us to tighten CORB protections outside the renderer process.

Documentation

Specification

Public discussion

Status in Chromium

Blink


No active development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owners

Intent to Prototype url

Intent to Prototype thread

Comments

This is one step in the long-term process to eliminate content type sniffing. Since worker scripts are a relatively new feature they have not yet acquired legacy baggage of other features, which allows us to remove this particular feature combination without much risk, and before unsuitable usage could becomes a legacy. Also, there's a trivial work-around for any affected developer: Just serve your scripts with a proper MIME type.

Last updated on 2020-10-25