On Tue, Apr 7, 2009 at 9:58 PM, Ian Hickson <ian@hixie.ch> wrote: > On Tue, 7 Apr 2009, Adam Barth wrote: >> As you might be aware, IE8 and Chrome let servers opt out of content >> sniffing using a HTTP header. > > To be precise, they allow servers to opt out of content sniffing in > certain specific cases. It doesn't affect, for instance, how the > Content-Type header is treated for images (e.g. an image/png image sent as > image/gif is still treated as a PNG, even with this header set, if I'm not > mistaken; IE8 has a more awesome implementation than Chrome. In IE8, these images won't render, but in Chrome they will. Eventually, I'd like to make Chrome's implementation match IE8, but it's not that high a priority. The main security win comes from not sniffing when loading a frame. > and Content-Type headers are entirely ignored in certain > contexts like <embed> elements with explicit type="" attributes or > @font-face declarations in CSS). I haven't tested these cases. AdamReceived on Wednesday, 8 April 2009 05:45:04 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:19 UTC