W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: X-Content-Type-Options: nosniff

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 2 Apr 2015 12:22:24 +0200
Message-ID: <CADnb78jaCpnRXHvXiUfyB613oj3z=V9PEh8++s19u5ZQA8QOoA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
On Thu, Apr 2, 2015 at 9:41 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> I've been trying to figure out what this header does in Internet
> Explorer 11 and Chrome dev and how we could maybe standardize it.

<img> - Again only Internet Explorer supports this case. The network
layer check is a filter on supported image formats. E.g. both
image/png and image/gif MIME types can proceed and will produce a load
event. However, if both are for a GIF resource that will only decode
with the image/gif MIME type.

That distinction would mean it's no longer just something we could
check in Fetch. It means the image decoder (which typically handles a
bunch of formats) needs to play an active role too. It's not entirely
clear to me why it is desirable to be able to enforce a distinction
between different image formats.

Received on Thursday, 2 April 2015 10:22:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC