On Wed, 2008-07-02 at 22:52 +0200, Julian Reschke wrote: > Hi, > > (crossposted to both the HTTPbis WG's and HTML5 WG's mailing lists...) > > looking at > <http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx>: > > "MIME-Handling: Sniffing Opt-Out > > Next, we’ve provided web-applications with the ability to opt-out of > MIME-sniffing. Sending the new authoritative=true attribute on the > Content-Type HTTP response header prevents Internet Explorer from > MIME-sniffing a response away from the declared content-type." > > Let's ignore the issue of inventing a new media type parameter for all > new media types for a moment... > > It's good that MS recognizes that content-type-sniffing may be bad and > that they are doing something about it. But is this really the right > approach? If they assume that fixing all the bust clients they have been shipping for years is infeasible, then I think they would have concluded its the right way. I think its bogus - it requires every web site author in existence to change their site to fix a defect in MSIE. Thats got to be harder to deploy than just a hotfix to MSIE to not sniff at all. 'Sorry, bad idea, fixed in hotfix #12345.' -Rob -- GPG key available at: <http://www.robertcollins.net/keys.txt>.
Received on Wednesday, 2 July 2008 22:34:21 UTC