<hat="individual">
Agree with this one.
With one addition: it must be clear, that if you "opt-in" for sniffing,
than you MUST (SHOULD?) follow the mime-sniffing algorithm.
Kind regards, Tobias
On 24/10/11 00:48, websec issue tracker wrote:
#20: Sniffing should be "opt in" on a case-by-case basis
The way the document is written as a normative algorithm makes it hard to
say this, but:
Every implementation should be free to "opt out" of sniffing based on
other information it has (previous experience with the site, information
based on whether a correct MIME type was given vs. misconfigured, etc.)
From the point of view of a web site, there's no additional security or
danger from opting out on a case-by-case basis; it's the same as, on a
case-by-case basis, choosing between two implementations, one of which
always sniffs and the other never sniffs.
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
