This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 19865 - Document proper use of X-Content-Type-Options: nosniff
Summary: Document proper use of X-Content-Type-Options: nosniff
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: MIME (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: Unsorted
Assignee: Gordon P. Hemsley
QA Contact: sideshowbarker+mimespec
URL: http://blogs.msdn.com/ie/archive/2008...
Whiteboard:
Keywords:
: 21742 (view as bug list)
Depends on:
Blocks: 19746
  Show dependency treegraph
 
Reported: 2012-11-05 18:44 UTC by Gordon P. Hemsley
Modified: 2019-03-29 22:57 UTC (History)
2 users (show)

See Also:


Attachments

Description Gordon P. Hemsley 2012-11-05 18:44:00 UTC
Related to IETF issue #23:
http://trac.tools.ietf.org/wg/websec/trac/ticket/23

Microsoft introduced the 'X-Content-Type-Options' header to give servers a way to prevent browser sniffing:

http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

I think this would be a useful addition to the spec, but it shouldn't apply universally, so we'll need to figure out exactly where it fits in.

A test implementation is available here:

http://franklin.pacificstorms.org/IE8-Test/authoritativeMIME.php
Comment 1 Gordon P. Hemsley 2012-11-16 23:18:23 UTC
IE9 added additional usecases:

http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx
Comment 2 Gordon P. Hemsley 2013-04-18 17:48:58 UTC
*** Bug 21742 has been marked as a duplicate of this bug. ***
Comment 3 Gordon P. Hemsley 2013-04-18 17:50:23 UTC
Discussion about inclusion in Gecko:

https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Comment 4 Gordon P. Hemsley 2013-04-18 17:53:21 UTC
Discussion on cross-browser functionality:

http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2012-November/037983.html
Comment 5 Gordon P. Hemsley 2013-05-10 19:19:50 UTC
This is now specced.

Feedback welcome:

http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-May/039561.html
Comment 6 Gordon P. Hemsley 2019-03-29 22:57:23 UTC
Per comment 5.