Re: content sniffing (and HTTP profiling)

On Tue, Apr 7, 2009 at 10:48 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Tue, Apr 7, 2009 at 10:47 PM, Ian Hickson <ian@hixie.ch> wrote:
>> On Tue, 7 Apr 2009, Adam Barth wrote:
>>> >
>>> > To be precise, they allow servers to opt out of content sniffing in
>>> > certain specific cases. It doesn't affect, for instance, how the
>>> > Content-Type header is treated for images (e.g. an image/png image
>>> > sent as image/gif is still treated as a PNG, even with this header
>>> > set, if I'm not mistaken;
>>>
>>> IE8 has a more awesome implementation than Chrome.  In IE8, these images
>>> won't render
>>
>> Even in <img> elements?
>
> I think so.  /me goes and makes a test case.

Yep.  Well, I tested a GIF with a Content-Type header of image/png.
Sorry I don't have the test case available at a public URL.  I use
netcat for these kinds of tests to make sure I get the network bytes
rights.

I think the <script> tag still accepts any type, but we got a request
from someone on the security team to make that strict when the nosniff
directive is enabled.  It's unclear what we'll end up doing in that
case.

Adam

Received on Wednesday, 8 April 2009 05:55:40 UTC