That's treated as text/plain, for what it's worth. Strangely, it's more common to get an empty content type with a nosniff directive than without one (by a few fractions of a percent).
Adam On Wed, Sep 28, 2011 at 4:31 PM, Tobias Gondrom <[email protected]> wrote: > I can imagine. As there come problems with it, just thinking of empty > content-types and then forbidding to sniff. Just a thought. > > Tobias > > > On 29/09/11 00:26, Adam Barth wrote: >> >> As I recall, the nosniff directive is pretty controversial. >> >> Adam >> >> >> On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom >> <[email protected]> wrote: >>> >>> Hello, >>> >>> although this has been around for a while, just stumbled again over this >>> http header when I analysed the bits on the wire of some web >>> applications: >>> >>> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The >>> header instructs the browser not to override the response content type. >>> For >>> example, some browsers try to be smart by deciding for themselves if the >>> content is really is text/html or an image. So with the nosniff option, >>> if >>> the server says the content is text/html, then the browser needs to >>> render >>> it as text/html. >>> >>> Is this something we should mention in mime-sniff or even consider to >>> encourage? >>> >>> Kind regards, Tobias >>> >>> >>>> On 2011-05-08 02:45, [email protected] wrote: >>>>> >>>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>>> directories. >>>>> This draft is a work item of the Web Security Working Group of the >>>>> IETF. >>>>> >>>>> >>>>> Title : Media Type Sniffing >>>>> Author(s) : A. Barth, I. Hickson >>>>> Filename : draft-ietf-websec-mime-sniff-03.txt >>>>> Pages : 24 >>>>> Date : 2011-05-07 >>>>> ... >>> >>> _______________________________________________ >>> websec mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/websec >>> > > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
