- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 7 Apr 2009 22:54:46 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Mark Nottingham <mnot@mnot.net>, "=JeffH" <Jeff.Hodges@kingsmountain.com>, HTTP Working Group <ietf-http-wg@w3.org>, Sam Ruby <rubys@intertwingly.net>, Chris Wilson <Chris.Wilson@microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>
On Tue, Apr 7, 2009 at 10:48 PM, Adam Barth <w3c@adambarth.com> wrote: > On Tue, Apr 7, 2009 at 10:47 PM, Ian Hickson <ian@hixie.ch> wrote: >> On Tue, 7 Apr 2009, Adam Barth wrote: >>> > >>> > To be precise, they allow servers to opt out of content sniffing in >>> > certain specific cases. It doesn't affect, for instance, how the >>> > Content-Type header is treated for images (e.g. an image/png image >>> > sent as image/gif is still treated as a PNG, even with this header >>> > set, if I'm not mistaken; >>> >>> IE8 has a more awesome implementation than Chrome. In IE8, these images >>> won't render >> >> Even in <img> elements? > > I think so. /me goes and makes a test case. Yep. Well, I tested a GIF with a Content-Type header of image/png. Sorry I don't have the test case available at a public URL. I use netcat for these kinds of tests to make sure I get the network bytes rights. I think the <script> tag still accepts any type, but we got a request from someone on the security team to make that strict when the nosniff directive is enabled. It's unclear what we'll end up doing in that case. Adam
Received on Wednesday, 8 April 2009 05:55:40 UTC