Skip to content

MIME type overmatch in data URLs #48957

New issue
New issue
Closed
#49104
Closed
MIME type overmatch in data URLs#48957
#49104
Labels
confirmed-bugIssues with confirmed bugs.esmIssues and PRs related to the ECMAScript Modules implementation.
@ghost

Description

@ghost
ghost
opened on Jul 28, 2023

Version

v20.5.0

Platform

Linux host 5.19.0-45-generic #46-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 7 09:08:58 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

modules

What steps will reproduce the bug?

Execute this command.

node --input-type=module --eval 'import "data:ONCEUPONAtext/javascriptTHEREWASASNEAKYMODULE,console.log(\"EVALUATED\")"'

The incorrectly typed inline module is evaluated. The string is logged to the console.

EVALUATED

How often does it reproduce? Is there a required condition?

Consistently.

What is the expected behavior? Why is that the expected behavior?

An incorrect MIME type is forbidden.

What do you see instead?

The module is evaluated.

Additional information

formats.js has a regex matching the MIME type.

/\s*(text|application)\/javascript\s*(;\s*charset=utf-?8\s*)?/i

This will match any MIME type that contains (text|application)/javascript anywhere. It maybe needs start and end anchors.

Metadata

Metadata

Assignees

No one assigned

    Labels

    confirmed-bugIssues with confirmed bugs.esmIssues and PRs related to the ECMAScript Modules implementation.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions