W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: content sniffing (and HTTP profiling)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 7 Apr 2009 22:54:46 -0700
Message-ID: <7789133a0904072254h20e84e9esae320c53ee5274c2@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Mark Nottingham <mnot@mnot.net>, "=JeffH" <Jeff.Hodges@kingsmountain.com>, HTTP Working Group <ietf-http-wg@w3.org>, Sam Ruby <rubys@intertwingly.net>, Chris Wilson <Chris.Wilson@microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>
On Tue, Apr 7, 2009 at 10:48 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Tue, Apr 7, 2009 at 10:47 PM, Ian Hickson <ian@hixie.ch> wrote:
>> On Tue, 7 Apr 2009, Adam Barth wrote:
>>> >
>>> > To be precise, they allow servers to opt out of content sniffing in
>>> > certain specific cases. It doesn't affect, for instance, how the
>>> > Content-Type header is treated for images (e.g. an image/png image
>>> > sent as image/gif is still treated as a PNG, even with this header
>>> > set, if I'm not mistaken;
>>>
>>> IE8 has a more awesome implementation than Chrome.  In IE8, these images
>>> won't render
>>
>> Even in <img> elements?
>
> I think so.  /me goes and makes a test case.

Yep.  Well, I tested a GIF with a Content-Type header of image/png.
Sorry I don't have the test case available at a public URL.  I use
netcat for these kinds of tests to make sure I get the network bytes
rights.

I think the <script> tag still accepts any type, but we got a request
from someone on the security team to make that strict when the nosniff
directive is enabled.  It's unclear what we'll end up doing in that
case.

Adam
Received on Wednesday, 8 April 2009 05:55:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:02 GMT