Stop sniffing 'audio/', 'video/', and 'text/csv' into script.

Stop sniffing 'audio/', 'video/', and 'text/csv' into script.

Currently, `<script src="whatever"></script>` will execute the resource
at `whatever` as long as it returns a non-`image/*` MIME-type (and doesn't
opt-in to additional protection by sending an `X-Content-Type-Options:
nosniff` header). This patch tightens that to exclude `text/csv` as well
as `audio/*` and `video/*` by default.

Spec: https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type?
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/AHsFvhHzh1o/GHj6QCdMAAAJ
Discussion: https://github.com/whatwg/fetch/issues/337

BUG=433049
Committed: https://crrev.com/14bc0a5f5b710feb11504db0432c3719a2216aaa
Cr-Commit-Position: refs/heads/master@{#416235}

[Mike West, 2016-08-31 13:57:04]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-08-31 13:57:25]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-08-31 15:32:45]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-08-31 15:32:46]

Dry run: This issue passed the CQ dry run.

[Mike West, 2016-09-02 08:38:32]

mkwst@chromium.org changed reviewers:
+ jochen@chromium.org

[Mike West, 2016-09-02 08:38:33]

WDYT, Jochen?

[Mike West, 2016-09-02 08:38:37]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-09-02 08:38:48]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-09-02 08:41:05]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-09-02 08:41:06]

Dry run: Try jobs failed on following builders:
  ios-device on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds...)

[jochen (gone - plz use gerrit), 2016-09-02 08:47:23]

lgtm

[Mike West, 2016-09-02 09:23:57]

The CQ bit was checked by mkwst@chromium.org

[Mike West, 2016-09-02 09:23:57]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/2294283002/#ps40001
(title: "rebase")

[commit-bot: I haz the power, 2016-09-02 09:24:10]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2016-09-02 10:12:15]

Description was changed from

==========
Stop sniffing 'audio/', 'video/', and 'text/csv' into script.

Currently, `<script src="whatever"></script>` will execute the resource
at `whatever` as long as it returns a non-`image/*` MIME-type (and doesn't
opt-in to additional protection by sending an `X-Content-Type-Options:
nosniff` header). This patch tightens that to exclude `text/csv` as well
as `audio/*` and `video/*` by default.

Spec:
https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-m...
Intent:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/AHsFvhHzh1o/GHj6QCdM...

BUG=433049
==========

to

==========
Stop sniffing 'audio/', 'video/', and 'text/csv' into script.

Currently, `<script src="whatever"></script>` will execute the resource
at `whatever` as long as it returns a non-`image/*` MIME-type (and doesn't
opt-in to additional protection by sending an `X-Content-Type-Options:
nosniff` header). This patch tightens that to exclude `text/csv` as well
as `audio/*` and `video/*` by default.

Spec:
https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-m...
Intent:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/AHsFvhHzh1o/GHj6QCdM...
Discussion: https://github.com/whatwg/fetch/issues/337

BUG=433049
==========

[commit-bot: I haz the power, 2016-09-02 11:15:50]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-09-02 11:19:22]

Description was changed from

==========
Stop sniffing 'audio/', 'video/', and 'text/csv' into script.

Currently, `<script src="whatever"></script>` will execute the resource
at `whatever` as long as it returns a non-`image/*` MIME-type (and doesn't
opt-in to additional protection by sending an `X-Content-Type-Options:
nosniff` header). This patch tightens that to exclude `text/csv` as well
as `audio/*` and `video/*` by default.

Spec:
https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-m...
Intent:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/AHsFvhHzh1o/GHj6QCdM...
Discussion: https://github.com/whatwg/fetch/issues/337

BUG=433049
==========

to

==========
Stop sniffing 'audio/', 'video/', and 'text/csv' into script.

Currently, `<script src="whatever"></script>` will execute the resource
at `whatever` as long as it returns a non-`image/*` MIME-type (and doesn't
opt-in to additional protection by sending an `X-Content-Type-Options:
nosniff` header). This patch tightens that to exclude `text/csv` as well
as `audio/*` and `video/*` by default.

Spec:
https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-m...
Intent:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/AHsFvhHzh1o/GHj6QCdM...
Discussion: https://github.com/whatwg/fetch/issues/337

BUG=433049

Committed: https://crrev.com/14bc0a5f5b710feb11504db0432c3719a2216aaa
Cr-Commit-Position: refs/heads/master@{#416235}
==========

[commit-bot: I haz the power, 2016-09-02 11:19:23]

Patchset 3 (id:??) landed as
https://crrev.com/14bc0a5f5b710feb11504db0432c3719a2216aaa
Cr-Commit-Position: refs/heads/master@{#416235}