Re: content sniffing (and HTTP profiling)

On Tue, Apr 7, 2009 at 4:23 PM, Mark Nottingham <mnot@mnot.net> wrote:
> The only thing that I think may need to be added (and I think this was
> discussed in SF) is advice on allowing origins and users the ability to opt
> out of sniffing on a per-response basis. Putting that advice in HTTPbis is
> probably best, although I could see arguments for putting it in the sniffing
> algorithm.

As you might be aware, IE8 and Chrome let servers opt out of content
sniffing using a HTTP header.  I've done some preliminarily
measurement experiments on the use of this header:

1) The nosniff directive is included in about 8% of all HTTP responses
received by Chrome.  (I believe that virtually all of google.com uses
this directive, for example.)

2) Of the HTTP responses that include the nosniff directive,
approximately 1.5% of them lack a Content-Type header.  (Compare this
to the ~1% of such responses in the general population.)

The nosniff directive has caused some small amount of incompatibility
because servers both specify the directive and require sniffing for
proper operation.  These sites appear relatively responsible to
evangelism and tend to correct their use of the Content-Type header
rather than abandon the nosniff directive.

Eric Lawrence might have some additional implementation experience to
share on this topic.

Adam

Received on Tuesday, 7 April 2009 23:48:44 UTC