- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 02 Apr 2015 03:43:50 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Thursday, 2 April 2015 10:44:29 UTC
Research: * https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0004.html * https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0005.html Todo: * Study various other contexts. * Fix tests to match the web-platform-tests framework. Tentative plan: * Define the `X-Content-Type-Options` header. * Add a hook in #concept-fetch that checks a response for "nosniff" violations. If there are violations, return a network error instead. * Write a section that defines the check for "nosniff" violations. Checking the request context against the MIME type if a "nosniff" header is around. Open issue: * Might need to annotate the response with a "nosniff" flag of sorts so further checks can be done by special components. E.g. an image decoder might want to reject a GIF with a image/png MIME type (IE11 does this). --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/35
Received on Thursday, 2 April 2015 10:44:29 UTC