Context
RequestInterceptor wraps Fetch but does not validate response Content-Type headers. MIME confusion attacks are currently only preventable via custom middleware.
Goal
Built-in MIME type validation for fetch responses as defense-in-depth measure.
Implementation
- Add optional
expectedContentType to request config
- Validate response
Content-Type header against expected type
- Throw
RequestError on mismatch
- Default: no validation (backwards compatible)
Files
src/request/RequestInterceptor.tstests/request/RequestInterceptor.test.ts
Source: AUDIT2 (-2 Defense-in-Depth)
Context
RequestInterceptor wraps Fetch but does not validate response Content-Type headers. MIME confusion attacks are currently only preventable via custom middleware.
Goal
Built-in MIME type validation for fetch responses as defense-in-depth measure.
Implementation
expectedContentTypeto request configContent-Typeheader against expected typeRequestErroron mismatchFiles
src/request/RequestInterceptor.tstests/request/RequestInterceptor.test.tsSource: AUDIT2 (-2 Defense-in-Depth)