- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 16 Nov 2012 14:28:32 -0800
- To: "Gordon P. Hemsley" <gphemsley@gmail.com>
- Cc: whatwg List <whatwg@whatwg.org>
On Fri, Nov 16, 2012 at 2:19 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote: > In addition, I would like to, if I could, also allow the header to be > specified without the 'X-' prefix (so as 'Content-Type-Options'), for > that reason (and because of best current practice). > > Does anyone have any questions, comments, or objections about this issue? Not sure why you would drop the prefix if it's not supported. Doesn't seem like best practice to me to needlessly break compatibility. ;-) Also, are we sure they are not sniffing still? E.g. how is mislabeled image content treated? I vaguely recall a image/png resource that's actually a GIF, still working even in the presence of this header. <script> probably still executes too, although I guess MIME sniff currently has no say in how <script> loading does not care about the MIME type. -- http://annevankesteren.nl/
Received on Friday, 16 November 2012 22:29:01 UTC