Re: [CSP] use csp-report-only to find out all content-type sniffing

I was confused by the fact that `X-Content-Type-Options` applies to the
resource being loaded, rather than resources loaded by a document. Setting
a sniffing policy for a document seems like a reasonable thing to consider
doing (though it should likely be done in conjunction with the WHATWG spec).

Still, this is something we could certainly consider for the next iteration
of CSP. Filed to make sure we
keep it in mind.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Sat, Aug 16, 2014 at 7:03 PM, Hatter Jiang OWS <> wrote:

> Many web site uses JSONP, but may set the wrong Content-Type(e.g.
> text/html), sniffing will let the codes looks working. But for security, I
> want to turn sniffing off using `X-Content-Type-Options: nosniff`.
> Sometimes it is really difficult for me to find out all the JSONP with
> wrong Content-Type assigned.
> If I can use CSP like :
> Content-Security-Policy-Report-Only: content-type-option noniff;
> report-uri /
> Help me finding out all the Content-Type sniffing invoke.
> P.S.
> 1. "X-" prefix header is deprecated by RFC6648
> 2. In CSP Level 2 frame-ancestors replaces X-Frame-Options and
> reflected-xss replaces X-XSS-Protection, but X-Content-Type-Options has no
> replacement.
> Hatter Jiang

Received on Monday, 18 August 2014 07:40:36 UTC