Re: [CSP] use csp-report-only to find out all content-type sniffing

On Mon, Aug 18, 2014 at 9:39 AM, Mike West <> wrote:
> I was confused by the fact that `X-Content-Type-Options` applies to the
> resource being loaded, rather than resources loaded by a document. Setting a
> sniffing policy for a document seems like a reasonable thing to consider
> doing (though it should likely be done in conjunction with the
> WHATWG spec).
> Still, this is something we could certainly consider for the next iteration
> of CSP. Filed to make sure we
> keep it in mind.

This would be interesting if defined in detail across all request
contexts. E.g. I believe that X-Content-Type-Options might not apply
to <img> or maybe it does, but then something labeled image/jpeg could
still be decoded as image/png. There's a lot of subtleties there and
potential interoperability hazards if not nailed down carefully.


Received on Monday, 18 August 2014 08:00:42 UTC