W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: content sniffing (and HTTP profiling)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 7 Apr 2009 22:54:46 -0700
Message-ID: <7789133a0904072254h20e84e9esae320c53ee5274c2@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Mark Nottingham <mnot@mnot.net>, "=JeffH" <Jeff.Hodges@kingsmountain.com>, HTTP Working Group <ietf-http-wg@w3.org>, Sam Ruby <rubys@intertwingly.net>, Chris Wilson <Chris.Wilson@microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>
On Tue, Apr 7, 2009 at 10:48 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Tue, Apr 7, 2009 at 10:47 PM, Ian Hickson <ian@hixie.ch> wrote:
>> On Tue, 7 Apr 2009, Adam Barth wrote:
>>> >
>>> > To be precise, they allow servers to opt out of content sniffing in
>>> > certain specific cases. It doesn't affect, for instance, how the
>>> > Content-Type header is treated for images (e.g. an image/png image
>>> > sent as image/gif is still treated as a PNG, even with this header
>>> > set, if I'm not mistaken;
>>> IE8 has a more awesome implementation than Chrome.  In IE8, these images
>>> won't render
>> Even in <img> elements?
> I think so.  /me goes and makes a test case.

Yep.  Well, I tested a GIF with a Content-Type header of image/png.
Sorry I don't have the test case available at a public URL.  I use
netcat for these kinds of tests to make sure I get the network bytes

I think the <script> tag still accepts any type, but we got a request
from someone on the security team to make that strict when the nosniff
directive is enabled.  It's unclear what we'll end up doing in that

Received on Wednesday, 8 April 2009 05:55:40 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:19 UTC