Worker scripts will be rejected unless they're delivered with a javascript MIME type (https://mimesniff.spec.whatwg.org/#javascript-mime-type).

Motivation

Web browsers will execute JavaScript, use CSS, etc., even if the Content-Type: header indicates a non-matching MIME type. For example, including a text/html resource via a <script src=.... > tag would succeed. This has been a security concern for quite a while, and there's a long-standing desire to eliminate or at least reduce this. Tightening MIME type restrictions makes it less likely that a server's resources are inadvertently executed as script, and allows us to tighten CORB protections outside the renderer process.

Documentation

• https://mimesniff.spec.whatwg.org/#javascript-mime-type
• https://groups.google.com/a/chromium.org/d/msg/blink-dev/35t5cJQ3J_Q/FH45dl0vAwAJ

Specification

Specification link

Status: Specification being incubated in a Community Group

Status in Chromium

Blink components: Blink

Implementation status: No active development (tracking bug)

Consensus & Standardization

• Firefox: Positive
• Safari: No signal
• Web Developers: No signals

Owners

• vogelheim@chromium.org
• mkwst@chromium.org

Intent to Prototype url

Comments

This is one step in the long-term process to eliminate content type sniffing. Since worker scripts are a relatively new feature they have not yet acquired legacy baggage of other features, which allows us to remove this particular feature combination without much risk, and before unsuitable usage could becomes a legacy. Also, there's a trivial work-around for any affected developer: Just serve your scripts with a proper MIME type.

Last updated on 2021-11-27