- From: Eduardo' Vela\ <evn@google.com>
- Date: Tue, 13 May 2014 14:41:44 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: whatwg <whatwg@lists.whatwg.org>, Adam Barth <w3c@adambarth.com>, Michal Zalewski <lcamtuf@coredump.cx>
On Tue, May 13, 2014 at 1:06 PM, Ian Hickson <ian@hixie.ch> wrote: > On Tue, 13 May 2014, Eduardo' Vela\" <Nava> wrote: > > > > Thanks! > > > > Just to ensure this wasn't lost in the thread. > > > > What about X-Content-Type-Options: nosniff? > > > > Could we formalize it and remove the X and disable sniffing all > > together? > > Do you mean for manifests specifically, or more generally? > I agree it's wrong to do it as a one-off, so was hoping to make it more generally (since there seems to be a move on moving out of the CT model). If that's not OK, then CSP is probably a reasonable way forward (I'll take a look at the Service Worker thread to ensure we have a similar mitigation in place). For manifests specifically, it seems like a very odd feature. "Manifests > don't have a MIME type normally, but if served with this header, then you > should also change how you determine if a manifest is a manifest"? > > If we just want a way to prevent pages that aren't supposed to be > manifests from being treated as manifests, I think it'd be better to have > a CSP directive that disables manifests. Then you would apply it to any > resource you know you don't want cached, don't want to be treated as being > able to declare a manifests, and don't want treated as a manifest. > > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' >
Received on Tuesday, 13 May 2014 21:42:32 UTC