- From: Philip Taylor <pjt47@cam.ac.uk>
- Date: Thu, 04 Sep 2008 23:30:32 +0100
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: HTML WG <public-html@w3.org>
Julian Reschke wrote: > Philip Taylor wrote: >> >> (It seems it would have to be a new header, not a new value for >> X-Content-Type-Options, because no value other than "nosniff" will be >> accepted by IE8 to disable sniffing, and sites will want to work as >> securely as possible in both IE8 and IE10.) > > Yes - they really need to define the value space and extensibility model > for that header. I just checked this more carefully, and actually IE8b2 simply requires the first seven bytes (after stripping leading space and tab characters) to be "nosniff" (case-insensitively). So you can send e.g. "X-Content-Type-Options: nosniff-noreally" and IE8 will still do its sniffing-avoidance thing. (But that feels more like accidental extensibility than intentional design...) -- Philip Taylor pjt47@cam.ac.uk
Received on Thursday, 4 September 2008 22:31:09 UTC