[whatwg] [mimesniff] First pass at speccing the X-Content-Type-Options header from Gordon P. Hemsley on 2013-05-10 (public-whatwg-archive@w3.org from May 2013)

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Fri, 10 May 2013 15:15:11 -0400
To: whatwg List <whatwg@whatwg.org>
Message-ID: <CAH4e3M7qMxBNtH1fDugW3Wng=_Er+gcBLzA=p9ZSQQjqE+Rc6w@mail.gmail.com>

I've made a first pass at speccing the X-Content-Type-Options header:

https://github.com/whatwg/mimesniff/commit/1599b7900afb923eff3af94e7e92a3d895eeb8f7
http://mimesniff.spec.whatwg.org/

As it stands now:

* If any resource retrieved over HTTP has an X-Content-Type-Options
header with a value of "nosniff", sniffing is turned off. (That means
multiple headers, with possible other values, will not turn sniffing
back on.)

* Sniffing can only be turned off by the X-Content-Type-Options in
contexts that call the main MIME type sniffing algorithm. In general,
that means sniffing is only turned off in contexts that do not have a
type hint. Contexts such as <img> call context-sniffing algorithms
from the HTML spec, and so are subject to different algorithmic
restrictions. However, <script> does not have its own context-specific
algorithm; I don't know how the HTML spec handles that. I also don't
know how the HTML spec handles <iframe>, but I assume that it calls
the main MIME type sniffing algorithm as any primary browsing context
would.

* If the X-Content-Type-Options header turns sniffing off, but the
supplied MIME type is unknown, non-scriptable types are still sniffed,
because we need to have some idea of what the resource is. (If no
known signatures are detected, the algorithm ends with either
"text/plain" or "application/octet-stream", depending on whether there
are any binary bytes in the resource header.)

Now, I have to admit up front that I didn't actually test whether this
behavior matches existing implementations. Instead, I used others'
reports [1][2] as a basis and made the least number of changes to the
existing spec as I probably could. I know Mozilla is looking for what
to implement and this, as now specced, seems like reasonable behavior
to me.

Let us now commence quibbling about the details.

[1] http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2012-November/037983.html
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=471020

--
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/ • http://gphemsley.org/blog/

Received on Friday, 10 May 2013 19:16:04 UTC