- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 7 Apr 2009 16:47:54 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, HTTP Working Group <ietf-http-wg@w3.org>, Sam Ruby <rubys@intertwingly.net>, Chris Wilson <Chris.Wilson@microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>
On Tue, Apr 7, 2009 at 4:23 PM, Mark Nottingham <mnot@mnot.net> wrote: > The only thing that I think may need to be added (and I think this was > discussed in SF) is advice on allowing origins and users the ability to opt > out of sniffing on a per-response basis. Putting that advice in HTTPbis is > probably best, although I could see arguments for putting it in the sniffing > algorithm. As you might be aware, IE8 and Chrome let servers opt out of content sniffing using a HTTP header. I've done some preliminarily measurement experiments on the use of this header: 1) The nosniff directive is included in about 8% of all HTTP responses received by Chrome. (I believe that virtually all of google.com uses this directive, for example.) 2) Of the HTTP responses that include the nosniff directive, approximately 1.5% of them lack a Content-Type header. (Compare this to the ~1% of such responses in the general population.) The nosniff directive has caused some small amount of incompatibility because servers both specify the directive and require sniffing for proper operation. These sites appear relatively responsible to evangelism and tend to correct their use of the Content-Type header rather than abandon the nosniff directive. Eric Lawrence might have some additional implementation experience to share on this topic. Adam
Received on Tuesday, 7 April 2009 23:48:44 UTC