Skip to content

feat: implement MIME type blacklist for MIMEtypes that shouldn't be allowed to navigate and execute HTML/JS #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jkadamczyk merged 2 commits into from
Jan 26, 2026
Merged

feat: implement MIME type blacklist for MIMEtypes that shouldn't be allowed to navigate and execute HTML/JS #24

jkadamczyk merged 2 commits into from
Jan 26, 2026
+46 −3

Conversation

@jkadamczyk
Copy link
Collaborator

@jkadamczyk jkadamczyk commented Jan 26, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Bug Fixes

    • MIME type validation prevents unsafe or non-displayable content from rendering in web views; such content is now offered for download instead.
    • Improved extraction and handling of Content-Type headers during navigation.

  • Chores

    • Added patch release metadata for the package.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Jan 26, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Added MIME type safety validation to WebView navigation policy: Content-Type is extracted from HTTP responses, normalized, and compared against a static blocklist. Unsafe MIME types now trigger the existing file-download event (when configured) and cancel navigation; this integrates with attachment and canShowMIMEType checks.

Changes

Cohort / File(s) Summary
MIME Type Safety Validation
apple/RNCWebViewImpl.m		 Added helper to normalize and check Content-Type against a static unsafe MIME-type list. Integrated this check into navigation policy alongside attachment and canShowMIMEType logic; if unsafe, emit file-download event (when configured) and cancel navigation.
Release Changeset
.changeset/calm-taxis-poke.md		 Added changeset for a patch release documenting the MIME type blacklist implementation.
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title accurately describes the main change: implementing a MIME type blacklist to prevent unsafe MIME types from navigating and executing HTML/JS, which is reflected throughout the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@jkadamczyk jkadamczyk requested review from a team January 26, 2026 14:43
alexz-phantom
alexz-phantom approved these changes Jan 26, 2026
View reviewed changes
Copy link

@alexz-phantom alexz-phantom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As always with these kinds of things there may be evasions, but this is a definite point improvement. Thanks!

@jkadamczyk jkadamczyk merged commit ad14030 into master Jan 26, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iamacook iamacook iamacook approved these changes

@alexz-phantom alexz-phantom alexz-phantom approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jkadamczyk @iamacook @alexz-phantom