Hi, Tom Schuster (evilpie) has been working on a patch to add X-Content-Type-Options: nosniff support to Gecko (thanks Tom !)
he has some questions in the bug (https://bugzilla.mozilla.org/show_bug.cgi?id=471020#c19) : "I think we need to define some kind of rules (a specification if you will) for when we actually want to block sniffing. In the next patch I am going to apply only sniffing for documents is disabled and at least Chromium seems to follow the same rules. Let me enumerate some examples: - something that looks like html - no Content-Type => displayed as text/plain - an image - no Content-Type => displayed as text/plain - an image - non matching Content-Type (eg. image/png for an jpeg image) => displayed as image We also disable sniffing based on the extension (.html etc.) But on the other hand this also has no effect on for example - images included via the image tag - style sheets (we already block style sheets with the wrong content-type in standard mode) >From what I can tell my patch exhibits the same behavior as Chromium." We are looking for feedback on this implementation - there seems to be no real spec for X-Content-Type-Options and maybe we should consider proposing and driving a real spec, in the W3C Web Application Security Working Group perhaps (if that's the appropriate venue). We at least should discuss and document the implementation Tom is working on for Gecko and make sure there's consensus from security folks it's the right approach. thanks ! ian _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security