[Webkit-unassigned] [Bug 136452] Enable of X-Content-Type-Options: nosniff header, and remove #if guards

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 4 09:27:04 PDT 2014


--- Comment #8 from Alexey Proskuryakov <ap at webkit.org>  2014-09-04 09:27:05 PST ---
Thanks Ossy! I tried nosniff-script-blocked.html, and it fails in Firefox. I did not try IE.

The code that this patch enables appears to implement something that is not specced, and what looks quite strange. Its effect is that X-Content-Type-Options: nosniff does two different things at separate levels of browser stack:

1. It disables Content-Type sniffing, which is implemented by low level networking code such as CFNetwork.

2. It enables strict MIME type checking for scripts. For some context, strict MIME type checking for CSS is enabled with HTML parser strict mode, so it's controlled by the embedding document, not by the script resource itself. It's quite inconsistent to do the opposite for scripts.

To proceed with this patch, we need to understand why this makes sense, and it would also be helpful to find out why Mozilla doesn't implement #2.

If we decide to not proceed, it would probably be best to remove the code from trunk.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list