[whatwg] [mimesniff] The X-Content-Type-Options header
Anne van Kesteren
annevk at annevk.nl
Fri Nov 16 14:28:32 PST 2012
On Fri, Nov 16, 2012 at 2:19 PM, Gordon P. Hemsley <gphemsley at gmail.com> wrote:
> In addition, I would like to, if I could, also allow the header to be
> specified without the 'X-' prefix (so as 'Content-Type-Options'), for
> that reason (and because of best current practice).
>
> Does anyone have any questions, comments, or objections about this issue?
Not sure why you would drop the prefix if it's not supported. Doesn't
seem like best practice to me to needlessly break compatibility. ;-)
Also, are we sure they are not sniffing still? E.g. how is mislabeled
image content treated? I vaguely recall a image/png resource that's
actually a GIF, still working even in the presence of this header.
<script> probably still executes too, although I guess MIME sniff
currently has no say in how <script> loading does not care about the
MIME type.
--
http://annevankesteren.nl/
More information about the whatwg
mailing list