W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: X-Content-Type-Options: nosniff

From: Jim Manico <jim.manico@owasp.org>
Date: Thu, 2 Apr 2015 18:23:32 -0700
Message-ID: <1423873841651825576@unknownmsgid>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Ok Anne, that was just awesome analysis. I'm very impressed with both
the depth and the clarity.

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

> On Apr 2, 2015, at 3:24 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>
>> On Thu, Apr 2, 2015 at 9:41 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I've been trying to figure out what this header does in Internet
>> Explorer 11 and Chrome dev and how we could maybe standardize it.
>
> <img> - Again only Internet Explorer supports this case. The network
> layer check is a filter on supported image formats. E.g. both
> image/png and image/gif MIME types can proceed and will produce a load
> event. However, if both are for a GIF resource that will only decode
> with the image/gif MIME type.
>
> That distinction would mean it's no longer just something we could
> check in Fetch. It means the image decoder (which typically handles a
> bunch of formats) needs to play an active role too. It's not entirely
> clear to me why it is desirable to be able to enforce a distinction
> between different image formats.
>
>
> --
> https://annevankesteren.nl/
>
Received on Friday, 3 April 2015 01:24:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC