Re: [whatwg] AppCache Content-Type Security Considerations

On Tue, May 13, 2014 at 1:06 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Tue, 13 May 2014, Eduardo' Vela\" <Nava> wrote:
> >
> > Thanks!
> >
> > Just to ensure this wasn't lost in the thread.
> >
> > What about X-Content-Type-Options: nosniff?
> >
> > Could we formalize it and remove the X and disable sniffing all
> > together?
>
> Do you mean for manifests specifically, or more generally?
>
I agree it's wrong to do it as a one-off, so was hoping to make it more
generally (since there seems to be a move on moving out of the CT model).

If that's not OK, then CSP is probably a reasonable way forward (I'll take
a look at the Service Worker thread to ensure we have a similar mitigation
in place).

For manifests specifically, it seems like a very odd feature. "Manifests
> don't have a MIME type normally, but if served with this header, then you
> should also change how you determine if a manifest is a manifest"?
>
> If we just want a way to prevent pages that aren't supposed to be
> manifests from being treated as manifests, I think it'd be better to have
> a CSP directive that disables manifests. Then you would apply it to any
> resource you know you don't want cached, don't want to be treated as being
> able to declare a manifests, and don't want treated as a manifest.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>

Received on Tuesday, 13 May 2014 21:42:32 UTC