- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 13 May 2014 20:06:00 +0000 (UTC)
- To: "Eduardo' Vela\\\" <Nava>" <evn@google.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Adam Barth <w3c@adambarth.com>, Michal Zalewski <lcamtuf@coredump.cx>
On Tue, 13 May 2014, Eduardo' Vela\" <Nava> wrote: > > Thanks! > > Just to ensure this wasn't lost in the thread. > > What about X-Content-Type-Options: nosniff? > > Could we formalize it and remove the X and disable sniffing all > together? Do you mean for manifests specifically, or more generally? For manifests specifically, it seems like a very odd feature. "Manifests don't have a MIME type normally, but if served with this header, then you should also change how you determine if a manifest is a manifest"? If we just want a way to prevent pages that aren't supposed to be manifests from being treated as manifests, I think it'd be better to have a CSP directive that disables manifests. Then you would apply it to any resource you know you don't want cached, don't want to be treated as being able to declare a manifests, and don't want treated as a manifest. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 13 May 2014 20:06:24 UTC