<hat="individual">
Whether browser will implement it, can't tell. Maybe we can learn more
when we progress further with the mime-sniff draft.
I don't have a strong opinion on the nosniff header.
Depending on where the mime-sniff debate will lead us, it might be a way
to mitigate concerns that in certain cases you really SHOULD NOT or MUST
NOT (RFC2119) sniff. Well and with such a header you could enforce
exactly that for your sources, without breaking other unknown
things/sites - which is the main reason for many browser vendors to
start do sniffing in the first place.
(in one way nosniff could even be a migration path to less sniffing....)
Best regards, Tobias
On 01/10/11 15:30, Phillip Hallam-Baker wrote:
On Sat, Oct 1, 2011 at 2:47 AM, Adam Barth<[email protected]> wrote:
On Fri, Sep 30, 2011 at 10:14 PM, "Martin J. Dürst"
<[email protected]> wrote:
On 2011/09/29 11:45, Adam Barth wrote:
On Wed, Sep 28, 2011 at 5:44 PM, "Martin J. Dürst"
<[email protected]> wrote:
On 2011/09/29 8:26, Adam Barth wrote:
As I recall, the nosniff directive is pretty controversial.
But then, as I recall, the whole business of sniffing is pretty
controversial to start with. Are there differences between the
controversiality of sniffing as such and the controversiality of the
nosniff
directive that explain why one is in the draft and the other is not?
The reason why one is in and the other isn't is just historical.
nosniff didn't exist at the time the document was originally written.
Your first answer sounded as if the nosniff directive was too controversial
to be included in any draft, but your second answer seems to suggest that it
was left out by (historical) accident, and that it might be worth to include
it.
The essential question isn't whether we should include it in the
draft. The essential question is whether folks want to implement it.
If no one wants to implement it, putting it in the draft is a
negative. If folks want to implement, then we can deal with the
controversy.
+1
The controversy seems to be of the 'cut off nose to spite face'
variety. Sniffing is definitely terrible from a security perspective
but people do it. Java and Java Script were terrible as well but
people did them and then left the rest of us with a mess that had to
be fixed slowly over then next ten years.
Sure this is not something we should have to think about but the fact
is that the browsers do it and it is better for the standards to
describe what the browsers actually do than what people think they
should do.
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
