W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

[whatwg] [mimesniff] The X-Content-Type-Options header

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Fri, 16 Nov 2012 17:19:37 -0500
Message-ID: <CAH4e3M61gS3ENDfgYRaQc-HdGinY18hV80DHW35-NWnahtzFeA@mail.gmail.com>
To: whatwg List <whatwg@whatwg.org>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=19865

Microsoft introduced the X-Content-Type-Options header in IE8 back in 2008:

http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

I would like to integrate the header into mimesniff and describe its
proper usage.

Right now, it allows one parameter: 'nosniff'. I would like to allow
the presence of this parameter to set the 'no-sniff flag' that I just
introduced into mimesniff (in addition to that flag's existing
duties):

http://mimesniff.spec.whatwg.org/#no-sniff-flag

But I would also like to fully spec the header, while leaving open the
possibility that other values may be added in the future.

In addition, I would like to, if I could, also allow the header to be
specified without the 'X-' prefix (so as 'Content-Type-Options'), for
that reason (and because of best current practice).

Does anyone have any questions, comments, or objections about this issue?

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/http://gphemsley.org/blog/
Received on Friday, 16 November 2012 22:24:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT