diff options
| author | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-09 22:27:39 +0000 |
|---|---|---|
| committer | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-09 22:27:39 +0000 |
| commit | e122e6072c0fd97b990d08fae16b300d973456c9 (patch) | |
| tree | e9001bd2344902f4e9d3b6ffedbcc89803fd75dc /net | |
| parent | 843c2842e2a7f473d7f1791a34a08189ffc5adde (diff) | |
| download | chromium_src-e122e6072c0fd97b990d08fae16b300d973456c9.zip chromium_src-e122e6072c0fd97b990d08fae16b300d973456c9.tar.gz chromium_src-e122e6072c0fd97b990d08fae16b300d973456c9.tar.bz2 | |
Prevent people from adding mime type to supported_non_image_types that will make it render as HTML. This is not the fix for bug, but to prevent people from making the same mistake again.
BUG=38105
TEST=None
Review URL: http://codereview.chromium.org/1617013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44143 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/mime_util.cc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/base/mime_util.cc b/net/base/mime_util.cc index f702fbe..aa3934b 100644 --- a/net/base/mime_util.cc +++ b/net/base/mime_util.cc @@ -239,7 +239,11 @@ static const char* const supported_non_image_types[] = { "application/json", "application/x-x509-user-cert", "multipart/x-mixed-replace" + // Note: ADDING a new type here will probably render it AS HTML. This can + // result in cross site scripting. }; +COMPILE_ASSERT(arraysize(supported_non_image_types) == 16, + supported_non_images_types_must_equal_16); // Mozilla 1.8 and WinIE 7 both accept text/javascript and text/ecmascript. // Mozilla 1.8 accepts application/javascript, application/ecmascript, and |