As I recall, the nosniff directive is pretty controversial. Adam
On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom <[email protected]> wrote: > Hello, > > although this has been around for a while, just stumbled again over this > http header when I analysed the bits on the wire of some web applications: > > X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The > header instructs the browser not to override the response content type. For > example, some browsers try to be smart by deciding for themselves if the > content is really is text/html or an image. So with the nosniff option, if > the server says the content is text/html, then the browser needs to render > it as text/html. > > Is this something we should mention in mime-sniff or even consider to > encourage? > > Kind regards, Tobias > > >> On 2011-05-08 02:45, [email protected] wrote: >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> This draft is a work item of the Web Security Working Group of the IETF. >>> >>> >>> Title : Media Type Sniffing >>> Author(s) : A. Barth, I. Hickson >>> Filename : draft-ietf-websec-mime-sniff-03.txt >>> Pages : 24 >>> Date : 2011-05-07 >>> ... >> > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
