Hello,
although this has been around for a while, just stumbled again over this
http header when I analysed the bits on the wire of some web applications:
X-Content-Type-Options: nosniff – This prevents “mime” based attacks.
The header instructs the browser not to override the response content
type. For example, some browsers try to be smart by deciding for
themselves if the content is really is text/html or an image. So with
the nosniff option, if the server says the content is text/html, then
the browser needs to render it as text/html.
Is this something we should mention in mime-sniff or even consider to
encourage?
Kind regards, Tobias
On 2011-05-08 02:45, [email protected] wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Security Working Group of the IETF.
Title : Media Type Sniffing
Author(s) : A. Barth, I. Hickson
Filename : draft-ietf-websec-mime-sniff-03.txt
Pages : 24
Date : 2011-05-07
...
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
