[CSP] use csp-report-only to find out all content-type sniffing from Hatter Jiang OWS on 2014-08-16 (public-webappsec@w3.org from August 2014)

From: Hatter Jiang OWS <hatter@openwebsecurity.org>
Date: Sun, 17 Aug 2014 01:03:56 +0800
To: public-webappsec@w3.org
Message-ID: <CABm0mE65LEbzsmiqOWN4qoRPVSTR==JRjxJ+RcobOsK3NFwQsA@mail.gmail.com>

Many web site uses JSONP, but may set the wrong Content-Type(e.g.
text/html), sniffing will let the codes looks working. But for security, I
want to turn sniffing off using `X-Content-Type-Options: nosniff`.

Sometimes it is really difficult for me to find out all the JSONP with
wrong Content-Type assigned.

If I can use CSP like :

Content-Security-Policy-Report-Only: content-type-option noniff; report-uri
/cspreport.do

Help me finding out all the Content-Type sniffing invoke.

P.S.
1. "X-" prefix header is deprecated by RFC6648
2. In CSP Level 2 frame-ancestors replaces X-Frame-Options and
reflected-xss replaces X-XSS-Protection, but X-Content-Type-Options has no
replacement.

Hatter Jiang

Received on Saturday, 16 August 2014 22:13:33 UTC