X-Content-Type-Options: nosniff from Anne van Kesteren on 2015-04-02 (public-webappsec@w3.org from April 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 2 Apr 2015 09:41:42 +0200
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78iG-_4UeLTKdjHsM=Sqx6qUCTVka-yt5-yMorpPXKr-1A@mail.gmail.com>

I've been trying to figure out what this header does in Internet
Explorer 11 and Chrome dev and how we could maybe standardize it.

<script> - Internet Explorer still loads scripts with Content-Type
missing and Content-Type set to the empty string. Chrome is stricter
and requires a match.

Chrome however treats all loads as successful (dispatches load event).
Internet Explorer does not (dispatches error event for mismatches).

Chrome's error console incorrect labels missing Content-Type as being
the empty string.

I have not tested MIME types extensively.

new Worker() - Internet Explorer does not load scripts with
Content-Type missing or Content-Type set to the empty string this time
around. Consistently dispatches error events on the Worker instance.
Chrome does not support nosniff here.

importScripts() - Internet Explorer is as strict as new Worker().
Throws "NetworkError" consistently. Chrome does not support nosniff
here.

<link rel=stylesheet> - This is only relevant in quirks mode for
same-origin requests as otherwise we already have strict checking for
text/css as far as I can tell from the specification. (And although
this is not specified for @import and co, it should apply there too.)

Internet Explorer does ignore the CSS due to a MIME type mismatch.
However, it treats all loads as successful (dispatches load event).
Not very consistent.

Chrome does not ignore the CSS and claims Content-Type missing,
Content-Type being the empty string, and Content-Type being "x", are
all instead "text/plain" in its console.


It seems to me that ideally we treat this similar to CSP and Mixed
Content in that it's a network error. Internet Explorer does not do
this for CSS currently however and I have yet to test images. Would
the Internet Explorer team be open to changing how they deal with this
for CSS?

Is Chrome interested in aligning this with network error treatment for
the sole case where they currently implement this (<script>)? Is
Chrome interested in widening its application?


-- 
https://annevankesteren.nl/

Received on Thursday, 2 April 2015 07:42:06 UTC