Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 28 September 2011 23:29 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FC1D11E8150 for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.495
X-Spam-Level:
X-Spam-Status: No, score=-96.495 tagged_above=-999 required=5 tests=[AWL=0.283, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUW6tK5TfRHu for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:29:31 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 769B711E8088 for <websec@ietf.org>; Wed, 28 Sep 2011 16:29:31 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=LYrjXoKJFoNQyejYKmgUPhFxJXCtOJkG+khlDlcabaB+U4KStXenZYZHRPTawdFQFG7uW/A/I0e8Nl7OLKMW8vWWdHjFBkSRhFWqybj5HrIWpUPpEHIcXQSsXayJ2PY3; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:X-Priority:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 30447 invoked from network); 29 Sep 2011 01:31:03 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.65?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 29 Sep 2011 01:31:02 +0200
Message-ID: <4E83AE36.7080008@gondrom.org>
Date: Thu, 29 Sep 2011 00:31:02 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20110906 Thunderbird/6.0.2
MIME-Version: 1.0
To: ietf@adambarth.com
X-Priority: 4 (Low)
References: <20110508004502.3883.40670.idtracker@ietfa.amsl.com> <4E7DB8E4.9040208@gmx.de> <4E83AA99.6080308@gondrom.org> <CAJE5ia_k3vXWixC6UsJ6mJ08xW8NQO06MVVD9-dzYSOFkDfutg@mail.gmail.com>
In-Reply-To: <CAJE5ia_k3vXWixC6UsJ6mJ08xW8NQO06MVVD9-dzYSOFkDfutg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: websec@ietf.org
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 23:29:32 -0000
I can imagine. As there come problems with it, just thinking of empty content-types and then forbidding to sniff. Just a thought. Tobias On 29/09/11 00:26, Adam Barth wrote: > As I recall, the nosniff directive is pretty controversial. > > Adam > > > On Wed, Sep 28, 2011 at 4:15 PM, Tobias Gondrom > <tobias.gondrom@gondrom.org> wrote: >> Hello, >> >> although this has been around for a while, just stumbled again over this >> http header when I analysed the bits on the wire of some web applications: >> >> X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The >> header instructs the browser not to override the response content type. For >> example, some browsers try to be smart by deciding for themselves if the >> content is really is text/html or an image. So with the nosniff option, if >> the server says the content is text/html, then the browser needs to render >> it as text/html. >> >> Is this something we should mention in mime-sniff or even consider to >> encourage? >> >> Kind regards, Tobias >> >> >>> On 2011-05-08 02:45, Internet-Drafts@ietf.org wrote: >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>> directories. >>>> This draft is a work item of the Web Security Working Group of the IETF. >>>> >>>> >>>> Title : Media Type Sniffing >>>> Author(s) : A. Barth, I. Hickson >>>> Filename : draft-ietf-websec-mime-sniff-03.txt >>>> Pages : 24 >>>> Date : 2011-05-07 >>>> ... >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec >>
- [websec] I-D Action:draft-ietf-websec-mime-sniff-… Internet-Drafts
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Julian Reschke
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Alexey Melnikov
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Phillip Hallam-Baker
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Bjoern Hoehrmann