- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 18 Aug 2014 10:00:15 +0200
- To: Mike West <mkwst@google.com>
- Cc: Hatter Jiang OWS <hatter@openwebsecurity.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Aug 18, 2014 at 9:39 AM, Mike West <mkwst@google.com> wrote: > I was confused by the fact that `X-Content-Type-Options` applies to the > resource being loaded, rather than resources loaded by a document. Setting a > sniffing policy for a document seems like a reasonable thing to consider > doing (though it should likely be done in conjunction with the > http://mimesniff.spec.whatwg.org/ WHATWG spec). > > Still, this is something we could certainly consider for the next iteration > of CSP. Filed https://github.com/w3c/webappsec/issues/44 to make sure we > keep it in mind. This would be interesting if defined in detail across all request contexts. E.g. I believe that X-Content-Type-Options might not apply to <img> or maybe it does, but then something labeled image/jpeg could still be decoded as image/png. There's a lot of subtleties there and potential interoperability hazards if not nailed down carefully. -- http://annevankesteren.nl/
Received on Monday, 18 August 2014 08:00:42 UTC