- From: Gordon P. Hemsley <gphemsley@gmail.com>
- Date: Fri, 16 Nov 2012 17:43:32 -0500
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: whatwg List <whatwg@whatwg.org>
On Fri, Nov 16, 2012 at 5:28 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Nov 16, 2012 at 2:19 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote: >> In addition, I would like to, if I could, also allow the header to be >> specified without the 'X-' prefix (so as 'Content-Type-Options'), for >> that reason (and because of best current practice). >> >> Does anyone have any questions, comments, or objections about this issue? > > Not sure why you would drop the prefix if it's not supported. Doesn't > seem like best practice to me to needlessly break compatibility. ;-) > > Also, are we sure they are not sniffing still? E.g. how is mislabeled > image content treated? I vaguely recall a image/png resource that's > actually a GIF, still working even in the presence of this header. > <script> probably still executes too, although I guess MIME sniff > currently has no say in how <script> loading does not care about the > MIME type. Well, it was my (unverified) understanding that the header wasn't widely implemented yet. Gecko has a bug on file (which notes that it's for parity with Chrome): https://bugzilla.mozilla.org/show_bug.cgi?id=471020 So my intent was actually to specify exactly what browsers should do, rather than what they currently do. (This spec is a mixture of both in that department, modeled off of what Chrome does.) Regarding your anecdote, it's possible that you were using a browser that didn't support the header (thus performing the sniffing even when told not to). If you weren't, though, I think that's Bad™. If browsers ignore the header, then there's no point in having it. Unless, of course, we only want to limit it to scriptable media types. That wasn't what I was originally considering, but it doesn't necessarily conflict with the IE team's original intent. (Their example is content marked as 'text/plain' being sniffed as 'text/html'.) So, what do the implementors think? -- Gordon P. Hemsley me@gphemsley.org http://gphemsley.org/ • http://gphemsley.org/blog/
Received on Friday, 16 November 2012 22:44:20 UTC