[webkit-dev] Adding 'X-Content-Type-Options: nosniff' support for scripts.

Mike West mkwst at chromium.org
Thu Feb 7 01:18:45 PST 2013 

(resending from the correct address)

I just checked
http://philip.html5.org/tests/ie8/cases/content-type-nosniff.html in IE10,
and '
http://philip.html5.org/tests/ie8/cases/resources/script_as_text_plain_nosniff'
is blocked as expected. It looks like they resolved the issues they faced
without changing the behavior significantly.

-mike

-Mike


On Thu, Feb 7, 2013 at 10:17 AM, Mike West <mkwst at google.com> wrote:

> I just checked
> http://philip.html5.org/tests/ie8/cases/content-type-nosniff.html in
> IE10, and '
> http://philip.html5.org/tests/ie8/cases/resources/script_as_text_plain_nosniff'
> is blocked as expected. It looks like they resolved the issues they faced
> without changing the behavior significantly.
>
> -mike
>
> --
> Mike West <mkwst at google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
>
> On Wed, Feb 6, 2013 at 7:19 PM, Adam Barth <abarth at webkit.org> wrote:
>
>> We should check whether IE still have that behavior (i.e., in the
>> latest version of IE).  I remember them running into some
>> compatibility problems with that aspect of nosniff, and I'm not sure
>> if they resolved those issue via evangelism or by adopting our
>> behavior.
>>
>> Adam
>>
>>
>> On Wed, Feb 6, 2013 at 1:33 AM, Mike West <mkwst at chromium.org> wrote:
>> > Continuing my trend of digging up old threads, I'd like to implement
>> support
>> > for 'X-Content-Type-Options: nosniff' when processing script, as
>> discussed
>> > way back in 2011:
>> > https://lists.webkit.org/pipermail/webkit-dev/2011-November/018557.html
>> .
>> >
>> > This should be a pretty small patch[1], but because support might
>> require
>> > work outside WebKit, I'll implement it behind an ENABLE_NOSNIFF flag[2].
>> >
>> > Thanks!
>> >
>> > [1]: https://bugs.webkit.org/show_bug.cgi?id=71851
>> > [2]: https://bugs.webkit.org/show_bug.cgi?id=109029
>> >
>> > -mike
>> >
>> > _______________________________________________
>> > webkit-dev mailing list
>> > webkit-dev at lists.webkit.org
>> > https://lists.webkit.org/mailman/listinfo/webkit-dev
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130207/2a291ff6/attachment.html>

More information about the webkit-dev mailing list