Re: Limitations of IE8 type-sniffing opt-out from Julian Reschke on 2008-09-03 (public-html@w3.org from September 2008)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 03 Sep 2008 13:15:03 +0200
To: Philip Taylor <pjt47@cam.ac.uk>
CC: HTML WG <public-html@w3.org>
Message-ID: <48BE71B7.5090808@gmx.de>

Philip Taylor wrote:
> 
> As mentioned in 
> http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx 
> IE8 beta 2 supports "X-Content-Type-Options: nosniff" (previously called 
> "Content-Type: ...; authoritative=true", and discussed around 
> http://lists.w3.org/Archives/Public/public-html/2008Jul/0001.html), 
> which may be of interest to people here.
> 
>  From that blog post: "Sending the new X-Content-Type-Options response 
> header with the value nosniff will prevent Internet Explorer from 
> MIME-sniffing a response away from the declared content-type."
> ...

Thanks for testing this. This sort-of confirms what many had expected 
already.

> The obvious danger is that someone will start sending the nosniff header 
> for every file on their server, and test that it works fine in IE8; then 
> for IE10, Microsoft will decide that e.g. allowing text/plain to be 
> executed as JScript via <script> is insecure, but they can't trigger 
> opt-out on the old nosniff header because it will break a load of sites, 
> so it'll need a whole new header 
> ("X-Content-Type-Options-I-Really-Mean-It: nosniff").

Yes.

> (It seems it would have to be a new header, not a new value for 
> X-Content-Type-Options, because no value other than "nosniff" will be 
> accepted by IE8 to disable sniffing, and sites will want to work as 
> securely as possible in both IE8 and IE10.)

Yes - they really need to define the value space and extensibility model 
for that header.

> ...
> On a slightly related note: since I couldn't find this information 
> trivially, it might be nice if somewhere (maybe in the HTML5 spec?) 
> there was a list of all the cases where a resource can be interpreted by 
> a (conforming) UA contrary to its Content-Type, to help people design 
> secure sites by understanding exactly when the declared types might be 
> overruled.
> ...

That sounds like a good idea. It would also make it easier to get an 
overview every time the "authoritative content-type" discussion comes up 
again (and it will come up again :-).

BR, Julian

Received on Wednesday, 3 September 2008 11:15:47 UTC