- From: Mike West <mkwst@google.com>
- Date: Mon, 18 Aug 2014 09:39:48 +0200
- To: Hatter Jiang OWS <hatter@openwebsecurity.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=c_Zed34Zf1hn291cztxL=nXnFhNyxY+WsSf3dqQLsABg@mail.gmail.com>
I was confused by the fact that `X-Content-Type-Options` applies to the resource being loaded, rather than resources loaded by a document. Setting a sniffing policy for a document seems like a reasonable thing to consider doing (though it should likely be done in conjunction with the http://mimesniff.spec.whatwg.org/ WHATWG spec). Still, this is something we could certainly consider for the next iteration of CSP. Filed https://github.com/w3c/webappsec/issues/44 to make sure we keep it in mind. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Sat, Aug 16, 2014 at 7:03 PM, Hatter Jiang OWS < hatter@openwebsecurity.org> wrote: > Many web site uses JSONP, but may set the wrong Content-Type(e.g. > text/html), sniffing will let the codes looks working. But for security, I > want to turn sniffing off using `X-Content-Type-Options: nosniff`. > > Sometimes it is really difficult for me to find out all the JSONP with > wrong Content-Type assigned. > > If I can use CSP like : > > Content-Security-Policy-Report-Only: content-type-option noniff; > report-uri /cspreport.do > > Help me finding out all the Content-Type sniffing invoke. > > P.S. > 1. "X-" prefix header is deprecated by RFC6648 > 2. In CSP Level 2 frame-ancestors replaces X-Frame-Options and > reflected-xss replaces X-XSS-Protection, but X-Content-Type-Options has no > replacement. > > Hatter Jiang >
Received on Monday, 18 August 2014 07:40:36 UTC