Re: content sniffing (and HTTP profiling)

On Tue, Apr 7, 2009 at 10:48 PM, Adam Barth <> wrote:
> On Tue, Apr 7, 2009 at 10:47 PM, Ian Hickson <> wrote:
>> On Tue, 7 Apr 2009, Adam Barth wrote:
>>> >
>>> > To be precise, they allow servers to opt out of content sniffing in
>>> > certain specific cases. It doesn't affect, for instance, how the
>>> > Content-Type header is treated for images (e.g. an image/png image
>>> > sent as image/gif is still treated as a PNG, even with this header
>>> > set, if I'm not mistaken;
>>> IE8 has a more awesome implementation than Chrome.  In IE8, these images
>>> won't render
>> Even in <img> elements?
> I think so.  /me goes and makes a test case.

Yep.  Well, I tested a GIF with a Content-Type header of image/png.
Sorry I don't have the test case available at a public URL.  I use
netcat for these kinds of tests to make sure I get the network bytes

I think the <script> tag still accepts any type, but we got a request
from someone on the security team to make that strict when the nosniff
directive is enabled.  It's unclear what we'll end up doing in that


Received on Wednesday, 8 April 2009 05:55:40 UTC