W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] [mimesniff] The X-Content-Type-Options header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 16 Nov 2012 14:28:32 -0800
Message-ID: <CADnb78hebV_4R7pCSxviMgzsLg0b0_RAgXai7zb68wtsyCA2fg@mail.gmail.com>
To: "Gordon P. Hemsley" <gphemsley@gmail.com>
Cc: whatwg List <whatwg@whatwg.org>
On Fri, Nov 16, 2012 at 2:19 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
> In addition, I would like to, if I could, also allow the header to be
> specified without the 'X-' prefix (so as 'Content-Type-Options'), for
> that reason (and because of best current practice).
>
> Does anyone have any questions, comments, or objections about this issue?

Not sure why you would drop the prefix if it's not supported. Doesn't
seem like best practice to me to needlessly break compatibility. ;-)

Also, are we sure they are not sniffing still? E.g. how is mislabeled
image content treated? I vaguely recall a image/png resource that's
actually a GIF, still working even in the presence of this header.
<script> probably still executes too, although I guess MIME sniff
currently has no say in how <script> loading does not care about the
MIME type.


-- 
http://annevankesteren.nl/
Received on Friday, 16 November 2012 22:29:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT