W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] [mimesniff] The X-Content-Type-Options header

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Fri, 16 Nov 2012 17:43:32 -0500
Message-ID: <CAH4e3M7hjUe8hg5iK6uGD4onK=q+iej5oXkoODc5MEgkAD7Rug@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: whatwg List <whatwg@whatwg.org>
On Fri, Nov 16, 2012 at 5:28 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Fri, Nov 16, 2012 at 2:19 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
>> In addition, I would like to, if I could, also allow the header to be
>> specified without the 'X-' prefix (so as 'Content-Type-Options'), for
>> that reason (and because of best current practice).
>> Does anyone have any questions, comments, or objections about this issue?
> Not sure why you would drop the prefix if it's not supported. Doesn't
> seem like best practice to me to needlessly break compatibility. ;-)
> Also, are we sure they are not sniffing still? E.g. how is mislabeled
> image content treated? I vaguely recall a image/png resource that's
> actually a GIF, still working even in the presence of this header.
> <script> probably still executes too, although I guess MIME sniff
> currently has no say in how <script> loading does not care about the
> MIME type.

Well, it was my (unverified) understanding that the header wasn't
widely implemented yet.

Gecko has a bug on file (which notes that it's for parity with Chrome):


So my intent was actually to specify exactly what browsers should do,
rather than what they currently do. (This spec is a mixture of both in
that department, modeled off of what Chrome does.)

Regarding your anecdote, it's possible that you were using a browser
that didn't support the header (thus performing the sniffing even when
told not to). If you weren't, though, I think that's Bad™. If browsers
ignore the header, then there's no point in having it.

Unless, of course, we only want to limit it to scriptable media types.
That wasn't what I was originally considering, but it doesn't
necessarily conflict with the IE team's original intent. (Their
example is content marked as 'text/plain' being sniffed as

So, what do the implementors think?

Gordon P. Hemsley
Received on Friday, 16 November 2012 22:44:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:17 UTC