W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

IE8's content-type authoritative parameter moved into a separate response header

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 03 Sep 2008 10:46:25 +0200
Message-ID: <48BE4EE1.7010701@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>


"MIME-Handling: Sniffing Opt-Out

As discussed in Part V of this blog series, Internet Explorer’s 
MIME-sniffing capabilities can lead to security problems for servers 
hosting untrusted content.  At that time, we announced a new 
Content-Type attribute (named “authoritative”) which could be used to 
disable MIME-sniffing for a particular HTTP response.

Over the past two months, we’ve received significant community feedback 
that using a new attribute on the Content-Type header would create a 
deployment headache for server operators. To that end, we have converted 
this option into a full-fledged HTTP response header.  Sending the new 
X-Content-Type-Options response header with the value nosniff will 
prevent Internet Explorer from MIME-sniffing a response away from the 
declared content-type.


BR, Julian
Received on Wednesday, 3 September 2008 08:47:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:47 UTC