Re: [whatwg] [mimesniff] The X-Content-Type-Options header from Gordon P. Hemsley on 2012-11-16 (public-whatwg-archive@w3.org from November 2012)

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Fri, 16 Nov 2012 17:43:32 -0500
To: Anne van Kesteren <annevk@annevk.nl>
Cc: whatwg List <whatwg@whatwg.org>
Message-ID: <CAH4e3M7hjUe8hg5iK6uGD4onK=q+iej5oXkoODc5MEgkAD7Rug@mail.gmail.com>

On Fri, Nov 16, 2012 at 5:28 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Fri, Nov 16, 2012 at 2:19 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
>> In addition, I would like to, if I could, also allow the header to be
>> specified without the 'X-' prefix (so as 'Content-Type-Options'), for
>> that reason (and because of best current practice).
>>
>> Does anyone have any questions, comments, or objections about this issue?
>
> Not sure why you would drop the prefix if it's not supported. Doesn't
> seem like best practice to me to needlessly break compatibility. ;-)
>
> Also, are we sure they are not sniffing still? E.g. how is mislabeled
> image content treated? I vaguely recall a image/png resource that's
> actually a GIF, still working even in the presence of this header.
> <script> probably still executes too, although I guess MIME sniff
> currently has no say in how <script> loading does not care about the
> MIME type.

Well, it was my (unverified) understanding that the header wasn't
widely implemented yet.

Gecko has a bug on file (which notes that it's for parity with Chrome):

https://bugzilla.mozilla.org/show_bug.cgi?id=471020

So my intent was actually to specify exactly what browsers should do,
rather than what they currently do. (This spec is a mixture of both in
that department, modeled off of what Chrome does.)

Regarding your anecdote, it's possible that you were using a browser
that didn't support the header (thus performing the sniffing even when
told not to). If you weren't, though, I think that's Bad™. If browsers
ignore the header, then there's no point in having it.

Unless, of course, we only want to limit it to scriptable media types.
That wasn't what I was originally considering, but it doesn't
necessarily conflict with the IE team's original intent. (Their
example is content marked as 'text/plain' being sniffed as
'text/html'.)

So, what do the implementors think?

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/ • http://gphemsley.org/blog/

Received on Friday, 16 November 2012 22:44:20 UTC