Re: [whatwg] [mimesniff] The X-Content-Type-Options header

On Fri, Nov 16, 2012 at 2:19 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
> In addition, I would like to, if I could, also allow the header to be
> specified without the 'X-' prefix (so as 'Content-Type-Options'), for
> that reason (and because of best current practice).
>
> Does anyone have any questions, comments, or objections about this issue?

Not sure why you would drop the prefix if it's not supported. Doesn't
seem like best practice to me to needlessly break compatibility. ;-)

Also, are we sure they are not sniffing still? E.g. how is mislabeled
image content treated? I vaguely recall a image/png resource that's
actually a GIF, still working even in the presence of this header.
<script> probably still executes too, although I guess MIME sniff
currently has no say in how <script> loading does not care about the
MIME type.


-- 
http://annevankesteren.nl/

Received on Friday, 16 November 2012 22:29:01 UTC