CORB confirmation sniffing for HTML, XML and JSON security prefix. #88
Conversation
|
Some notes on testing... This pull requests has some limited test coverage via the following Web Platform Tests,:
I note that adding more CORB tests is problematic (especially for the cases where confirmation sniffing succeeds), because CORB should in general be invisible to the web content - see also wpt/fetch/corb/README.md Also... actually I see that I need to add |
Hmmm... actually, it should be possible to add some test coverage for JSON parser breakers - I am trying to do that here: https://crrev.com/c/1295185. |
| @@ -139,7 +139,7 @@ production. By definition it is a superset of the <a>HTTP token code points</a>. | |||
|
|
|||
| <p> | |||
| A <dfn>whitespace byte</dfn> (abbreviated | |||
| <abbr lt="whitespace byte">0xWS</abbr>) is any one of the following | |||
| <abbr lt="whitespace byte">1xWS</abbr>) is any one of the following | |||
There was a problem hiding this comment.
This was accidental I think.
At any rate, CORB will most likely be replaced with ORB (https://github.com/annevk/orb) and this will mean that this CL can be abandoned.
Hello @annevk, @csreis, @GPHemsley,
This is my attempt to start documenting CORB confirmation sniffing algorithm (as tracked by #87 and in whatwg/fetch#681 (comment)).
I hope that this pull request is close to being acceptable, but I do note that:
and so it is likely that I made some newbie miskates. I am open to any feedback.
cover JSON sniffing (as implemented in Chromium in CrossOriginReadBlocking::SniffForJSON).
I hope that this omission is okay. I am worried that sniffing for JSON can end up more complicated
than the other kinds of sniffing, because 1) the current implementation requires a small state machine
and 2) the current implementation is imperfect (e.g. doesn't recognize JSON lists).
Please take a look?
-Lukasz
PS. I forgot to add my name to the contributors list. Let me fix this in a moment.
Preview | Diff