[whatwg] [mimesniff] The X-Content-Type-Options header from Gordon P. Hemsley on 2012-11-16 (public-whatwg-archive@w3.org from November 2012)

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Fri, 16 Nov 2012 17:19:37 -0500
To: whatwg List <whatwg@whatwg.org>
Message-ID: <CAH4e3M61gS3ENDfgYRaQc-HdGinY18hV80DHW35-NWnahtzFeA@mail.gmail.com>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=19865

Microsoft introduced the X-Content-Type-Options header in IE8 back in 2008:

http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

I would like to integrate the header into mimesniff and describe its
proper usage.

Right now, it allows one parameter: 'nosniff'. I would like to allow
the presence of this parameter to set the 'no-sniff flag' that I just
introduced into mimesniff (in addition to that flag's existing
duties):

http://mimesniff.spec.whatwg.org/#no-sniff-flag

But I would also like to fully spec the header, while leaving open the
possibility that other values may be added in the future.

In addition, I would like to, if I could, also allow the header to be
specified without the 'X-' prefix (so as 'Content-Type-Options'), for
that reason (and because of best current practice).

Does anyone have any questions, comments, or objections about this issue?

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/ • http://gphemsley.org/blog/

Received on Friday, 16 November 2012 22:24:41 UTC