On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst" <[email protected]> wrote: > On 2011/09/29 8:26, Adam Barth wrote: >> >> As I recall, the nosniff directive is pretty controversial. > > But then, as I recall, the whole business of sniffing is pretty > controversial to start with. Are there differences between the > controversiality of sniffing as such and the controversiality of the nosniff > directive that explain why one is in the draft and the other is not?
The reason why one is in and the other isn't is just historical. nosniff didn't exist at the time the document was originally written. Adam >> On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom >> <[email protected]> wrote: >>> >>> Hello, >>> >>> although this has been around for a while, just stumbled again over this >>> http header when I analysed the bits on the wire of some web >>> applications: >>> >>> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The >>> header instructs the browser not to override the response content type. >>> For >>> example, some browsers try to be smart by deciding for themselves if the >>> content is really is text/html or an image. So with the nosniff option, >>> if >>> the server says the content is text/html, then the browser needs to >>> render >>> it as text/html. >>> >>> Is this something we should mention in mime-sniff or even consider to >>> encourage? >>> >>> Kind regards, Tobias >>> >>> >>>> On 2011-05-08 02:45, [email protected] wrote: >>>>> >>>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>>> directories. >>>>> This draft is a work item of the Web Security Working Group of the >>>>> IETF. >>>>> >>>>> >>>>> Title : Media Type Sniffing >>>>> Author(s) : A. Barth, I. Hickson >>>>> Filename : draft-ietf-websec-mime-sniff-03.txt >>>>> Pages : 24 >>>>> Date : 2011-05-07 >>>>> ... >>>> >>> >>> _______________________________________________ >>> websec mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/websec >>> >> _______________________________________________ >> websec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/websec >> > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
