Content-Type & Nosniff Ignored on XML External Entity Resources
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Mar 2020 23:52:09 +0000 (23:52 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Mar 2020 23:52:09 +0000 (23:52 +0000)
commitc9f9bb0a997ae2f08517bf0d4781e1a47da9d39c
tree5cba6777eaa9211e5fdca6ed7ba5f54c4b947df2
parentd89e2d1b573b1338678a265dc3d7fe77a1f9beb1
Content-Type & Nosniff Ignored on XML External Entity Resources
<https://webkit.org/b/191171>
<rdar://problem/45763222>

Reviewed by Darin Adler.

Source/WebCore:

Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml

* platform/MIMETypeRegistry.cpp:
(WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.
* platform/MIMETypeRegistry.h:
(WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.
- Checks for XML external entity MIME types.

* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::externalEntityMimeTypeAllowedByNosniff): Add.
- Checks whether the MIME type is valid based on the presence of
  the "X-Content-Type-Options: nosniff" header.
(WebCore::openFunc):
- Drop the contents of the resource that was returned and print
  an error message to the Web Inspector console if
  externalEntityMimeTypeAllowedByNosniff() says the MIME type is
  not allowed.

LayoutTests:

* http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.
* http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@258799 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/MIMETypeRegistry.cpp
Source/WebCore/platform/MIMETypeRegistry.h
Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp