Re: Intent to Ship - Support XCTO: nosniff for navigations

2019-09-05 Thread Boris Zbarsky
On 9/5/19 9:20 AM, Sebastian Streich wrote: In Firefox 70 I intend to enable nosniff support for page navigations by default. We're still doing stream converters for navigations even if that header is sent. Is that intended? I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1579176 to

Re: Intent to Ship - Support XCTO: nosniff for navigations

2019-09-05 Thread Daniel Veditz
On Thu, Sep 5, 2019 at 6:21 AM Sebastian Streich wrote: > Link to standard: > https://fetch.spec.whatwg.org/#x-content-type-options-header That bit of the standard doesn't describe this behavior--it still only talks about scripts and style. Is there an issue or PR to update the spec to

Intent to Ship - Support XCTO: nosniff for navigations

2019-09-05 Thread Sebastian Streich
Currently the Support for “X-Content-Type-Options: nosniff“ is limited to CSS and JS resources. In Firefox 70 I intend to enable nosniff support for page navigations by default. If a server's response does not include any mime-type but sets the response header "XCTO: nosniff" then Firefox will