Don't override application/octet-stream MIME type.

webkit/plugins/npapi/plugin_list.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "webkit/plugins/npapi/plugin_list.h"
 
 #include <algorithm>
 
 #include "base/command_line.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "net/base/mime_util.h"
 #include "url/gurl.h"
 #include "webkit/plugins/npapi/plugin_utils.h"
 #include "webkit/plugins/plugin_switches.h"
 
 #if defined(OS_WIN)
 #include "webkit/plugins/npapi/plugin_constants_win.h"
 #endif
 
 namespace {
 
 using webkit::npapi::PluginList;
 
-const char kApplicationOctetStream[] = "application/octet-stream";
-
 base::LazyInstance<PluginList> g_singleton = LAZY_INSTANCE_INITIALIZER;
 
-bool AllowMimeTypeMismatch(const std::string& orig_mime_type,
-                           const std::string& actual_mime_type) {
-  if (orig_mime_type == actual_mime_type) {
-    NOTREACHED();
-    return true;
-  }
-
-  // We do not permit URL-sniff based plug-in MIME type overrides aside from
-  // the case where the "type" was initially missing or generic
-  // (application/octet-stream).
-  // We collected stats to determine this approach isn't a major compat issue,
-  // and we defend against content confusion attacks in various cases, such
-  // as when the user doesn't have the Flash plug-in enabled.
-  bool allow = orig_mime_type.empty() ||
-               orig_mime_type == kApplicationOctetStream;
-  LOG_IF(INFO, !allow) << "Ignoring plugin with unexpected MIME type "
-                       << actual_mime_type << " (expected " << orig_mime_type
-                       << ")";
-  return allow;
-}
-
 }  // namespace
 
 namespace webkit {
 namespace npapi {
 
 // static
 PluginList* PluginList::Singleton() {
   return g_singleton.Pointer();
 }
 
@@ skipping 332 matching lines @@
       base::FilePath path = plugins_list_[i].path;
       if (visited_plugins.insert(path).second) {
         info->push_back(plugins_list_[i]);
         if (actual_mime_types)
           actual_mime_types->push_back(mime_type);
       }
     }
   }
 
   // Add in plugins by url.
+  // We do not permit URL-sniff based plug-in MIME type overrides aside from
+  // the case where the "type" was initially missing.
+  // We collected stats to determine this approach isn't a major compat issue,
+  // and we defend against content confusion attacks in various cases, such
+  // as when the user doesn't have the Flash plug-in enabled.
   std::string path = url.path();
   std::string::size_type last_dot = path.rfind('.');
-  if (last_dot != std::string::npos) {
+  if (last_dot != std::string::npos && mime_type.empty()) {
     std::string extension = StringToLowerASCII(std::string(path, last_dot+1));
     std::string actual_mime_type;
     for (size_t i = 0; i < plugins_list_.size(); ++i) {
       if (SupportsExtension(plugins_list_[i], extension, &actual_mime_type)) {
         base::FilePath path = plugins_list_[i].path;
-        if (visited_plugins.insert(path).second &&
-            AllowMimeTypeMismatch(mime_type, actual_mime_type)) {
+        if (visited_plugins.insert(path).second) {
           info->push_back(plugins_list_[i]);
           if (actual_mime_types)
             actual_mime_types->push_back(actual_mime_type);
         }
       }
     }
   }
 }
 
 bool PluginList::SupportsType(const webkit::WebPluginInfo& plugin,
@@ skipping 29 matching lines @@
   }
   return false;
 }
 
 PluginList::~PluginList() {
 }
 
 
 }  // namespace npapi
 }  // namespace webkit