W3C home > Mailing lists > Public > public-html@w3.org > September 2008

Re: Limitations of IE8 type-sniffing opt-out

From: Philip Taylor <pjt47@cam.ac.uk>
Date: Thu, 04 Sep 2008 23:30:32 +0100
Message-ID: <48C06188.2040009@cam.ac.uk>
To: Julian Reschke <julian.reschke@gmx.de>
CC: HTML WG <public-html@w3.org>

Julian Reschke wrote:
> Philip Taylor wrote:
>>
>> (It seems it would have to be a new header, not a new value for 
>> X-Content-Type-Options, because no value other than "nosniff" will be 
>> accepted by IE8 to disable sniffing, and sites will want to work as 
>> securely as possible in both IE8 and IE10.)
> 
> Yes - they really need to define the value space and extensibility model 
> for that header.

I just checked this more carefully, and actually IE8b2 simply requires 
the first seven bytes (after stripping leading space and tab characters) 
to be "nosniff" (case-insensitively). So you can send e.g. 
"X-Content-Type-Options: nosniff-noreally" and IE8 will still do its 
sniffing-avoidance thing. (But that feels more like accidental 
extensibility than intentional design...)

-- 
Philip Taylor
pjt47@cam.ac.uk
Received on Thursday, 4 September 2008 22:31:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:58 UTC