On 2011/09/29 8:26, Adam Barth wrote:
As I recall, the nosniff directive is pretty controversial.
But then, as I recall, the whole business of sniffing is pretty
controversial to start with. Are there differences between the
controversiality of sniffing as such and the controversiality of the
nosniff directive that explain why one is in the draft and the other is not?
Regards, Martin.
Adam
On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom
<[email protected]> wrote:
Hello,
although this has been around for a while, just stumbled again over this
http header when I analysed the bits on the wire of some web applications:
X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The
header instructs the browser not to override the response content type. For
example, some browsers try to be smart by deciding for themselves if the
content is really is text/html or an image. So with the nosniff option, if
the server says the content is text/html, then the browser needs to render
it as text/html.
Is this something we should mention in mime-sniff or even consider to
encourage?
Kind regards, Tobias
On 2011-05-08 02:45, [email protected] wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Security Working Group of the IETF.
Title : Media Type Sniffing
Author(s) : A. Barth, I. Hickson
Filename : draft-ietf-websec-mime-sniff-03.txt
Pages : 24
Date : 2011-05-07
...
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
