W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: content sniffing (and HTTP profiling)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 7 Apr 2009 22:44:10 -0700
Message-ID: <7789133a0904072244i26cf6290jc967482501fd572@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Mark Nottingham <mnot@mnot.net>, "=JeffH" <Jeff.Hodges@kingsmountain.com>, HTTP Working Group <ietf-http-wg@w3.org>, Sam Ruby <rubys@intertwingly.net>, Chris Wilson <Chris.Wilson@microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>
On Tue, Apr 7, 2009 at 9:58 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Tue, 7 Apr 2009, Adam Barth wrote:
>> As you might be aware, IE8 and Chrome let servers opt out of content
>> sniffing using a HTTP header.
> To be precise, they allow servers to opt out of content sniffing in
> certain specific cases. It doesn't affect, for instance, how the
> Content-Type header is treated for images (e.g. an image/png image sent as
> image/gif is still treated as a PNG, even with this header set, if I'm not
> mistaken;

IE8 has a more awesome implementation than Chrome.  In IE8, these
images won't render, but in Chrome they will.  Eventually, I'd like to
make Chrome's implementation match IE8, but it's not that high a
priority.  The main security win comes from not sniffing when loading
a frame.

> and Content-Type headers are entirely ignored in certain
> contexts like <embed> elements with explicit type="" attributes or
> @font-face declarations in CSS).

I haven't tested these cases.

Received on Wednesday, 8 April 2009 05:45:04 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:19 UTC