Support 'application/octet-steam' in the list of safe MIME types

PiperOrigin-RevId: 726448701
google · Feb 13, 2025 · 19cf46a · 19cf46a
1 parent e62b327
commit 19cf46a
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,22 +1,35 @@
 # Changelog
 
+## [1.2.0][1.2.0] - 2025-02-13
+
+### Changed
+
+-   Support `application/octet-stream` as a MIME type in objectUrlFromSafeSource
+-   Support certain font MIME types in objectUrlFromSafeSource
+-   Support certain font MIME types in objectUrlFromSafeSource
+-   Support additional image and audio MIME type formats in
+    objectUrlFromSafeSource
+
 ## [1.1.0][1.1.0] - 2025-02-06
 
 ### Added
 
-- Implement `setElementAttribute` and document it
-- Add a `.withOpenShadow` `CssSanitizerBuilder` option
-- Add "controlslist" to the list of globally permitted attributes
-- Add a CHANGELOG.md that follows https://common-changelog.org/
+-   Implement `setElementAttribute` and document it
+-   Add a `.withOpenShadow` `CssSanitizerBuilder` option
+-   Add "controlslist" to the list of globally permitted attributes
+-   Add a CHANGELOG.md that follows https://common-changelog.org/
 
 ### Changed
 
-- Downgrade the global attribute contracts for "cite" and "poster" attributes in the sanitizer
-- Extend `allowDataAttributes` from the `HtmlSanitizerBuilder` to allow any `data-*` attributes
+-   Downgrade the global attribute contracts for "cite" and "poster" attributes
+    in the sanitizer
+-   Extend `allowDataAttributes` from the `HtmlSanitizerBuilder` to allow any
+    `data-*` attributes
 
 ## [1.0.1][1.0.1] - 2025-01-03
 
-_Initial release._
+*Initial release.*
 
+[1.2.0]: https://github.com/google/safevalues/releases/tag/v1.2.0
 [1.1.0]: https://github.com/google/safevalues/releases/tag/v1.1.0
-[1.0.1]: https://github.com/google/safevalues/releases/tag/v1.0.1
+[1.0.1]: https://github.com/google/safevalues/releases/tag/v1.0.1
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1.0
+1.2.0
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "safevalues",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Safe builders for Trusted Types values",
   "repository": "https://github.com/google/safevalues",
   "author": "ISE Web Hardening Team",

diff --git a/src/dom/globals/url.ts b/src/dom/globals/url.ts
@@ -5,29 +5,35 @@
  */
 
 /**
- * A pattern that matches safe MIME types. Only matches image, video and audio
- * types, with some parameter support (most notably, we haven't implemented the
- * more complex parts like %-encoded characters or non-alphanumerical ones for
- * simplicity's sake). Also, the specs are fairly complex, and they don't
- * necessarily agree with Chrome on some aspects, and so we settled on a subset
- * where the behavior makes sense to all parties involved.
+ * A pattern that matches safe MIME types. Only matches image, video, audio and
+ * application/octet-stream types, with some parameter support (most notably, we
+ * haven't implemented the more complex parts like %-encoded characters or
+ * non-alphanumerical ones for simplicity's sake). Also, the specs are fairly
+ * complex, and they don't necessarily agree with Chrome on some aspects, and so
+ * we settled on a subset where the behavior makes sense to all parties
+ * involved.
+ * Use application/octet-stream for blobs that are meant to be downloaded.
  *
  * The spec is available at https://mimesniff.spec.whatwg.org/ (and see
  * https://tools.ietf.org/html/rfc2397 for data: urls, which override some of
  * it).
  */
 function isSafeMimeType(mimeType: string): boolean {
+  if (mimeType.toLowerCase() === 'application/octet-stream') {
+    return true;
+  }
   const match = mimeType.match(/^([^;]+)(?:;\w+=(?:\w+|"[\w;,= ]+"))*$/i);
   return (
     match?.length === 2 &&
     (isSafeImageMimeType(match[1]) ||
       isSafeVideoMimeType(match[1]) ||
-      isSafeAudioMimeType(match[1]))
+      isSafeAudioMimeType(match[1]) ||
+      isSafeFontMimeType(match[1]))
   );
 }
 
 function isSafeImageMimeType(mimeType: string): boolean {
-  return /^image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp|x-icon|heic|heif)$/i.test(
+  return /^image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp|x-icon|heic|heif|avif|x-ms-bmp)$/i.test(
     mimeType,
   );
 }
@@ -39,11 +45,15 @@ function isSafeVideoMimeType(mimeType: string): boolean {
 }
 
 function isSafeAudioMimeType(mimeType: string): boolean {
-  return /^audio\/(?:3gpp2|3gpp|aac|L16|midi|mp3|mp4|mpeg|oga|ogg|opus|x-m4a|x-matroska|x-wav|wav|webm)$/i.test(
+  return /^audio\/(?:3gpp2|3gpp|aac|amr|L16|midi|mp3|mp4|mpeg|oga|ogg|opus|x-m4a|x-matroska|x-wav|wav|webm)$/i.test(
     mimeType,
   );
 }
 
+function isSafeFontMimeType(mimeType: string): boolean {
+  return /^font\/[\w-]+$/i.test(mimeType);
+}
+
 /**
  * Wraps URL.createObjectURL, checking the safety of the source. For blobs, the
  * function validates that the Blob's type is amongst the safe MIME types, and

diff --git a/test/dom/globals/url_test.ts b/test/dom/globals/url_test.ts
@@ -28,6 +28,12 @@ describe('objectUrlFromSafeSource', () => {
       objectUrlRegExp,
     );
     expect(buildBlobWithType('audio/mp3;1="2;";3=5')).toMatch(objectUrlRegExp);
+    expect(buildBlobWithType('application/octet-stream')).toMatch(
+      objectUrlRegExp,
+    );
+    expect(buildBlobWithType('APPLICATION/octet-stream')).toMatch(
+      objectUrlRegExp,
+    );
 
     expect(() => buildBlobWithType('image/jpg x')).toThrow();
     expect(() => buildBlobWithType('x image/jpg')).toThrow();