Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 28 September 2011 23:13 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC8F1F0C4B for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:13:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.465
X-Spam-Level:
X-Spam-Status: No, score=-96.465 tagged_above=-999 required=5 tests=[AWL=0.313, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHv0FzFrkxdQ for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:13:42 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 692F821F8C31 for <websec@ietf.org>; Wed, 28 Sep 2011 16:13:36 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=PZZSk5XaM+QqiNnISHDmF28MEopXNPeD5m8ZvLJJvHKmHDVGDZ9P4zjkCJZitJigVA7zuJGfBORQEqBL02q6l2KXxQPb2Ws1aEdQLOkep6RjWzB3xgs+HYmjW/BMKTJs; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 30341 invoked from network); 29 Sep 2011 01:15:37 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.65?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 29 Sep 2011 01:15:37 +0200
Message-ID: <4E83AA99.6080308@gondrom.org>
Date: Thu, 29 Sep 2011 00:15:37 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20110906 Thunderbird/6.0.2
MIME-Version: 1.0
To: websec@ietf.org
References: <20110508004502.3883.40670.idtracker@ietfa.amsl.com> <4E7DB8E4.9040208@gmx.de>
In-Reply-To: <4E7DB8E4.9040208@gmx.de>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 23:13:42 -0000
Hello, although this has been around for a while, just stumbled again over this http header when I analysed the bits on the wire of some web applications: X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html. Is this something we should mention in mime-sniff or even consider to encourage? Kind regards, Tobias > On 2011-05-08 02:45, Internet-Drafts@ietf.org wrote: >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Web Security Working Group of the IETF. >> >> >> Title : Media Type Sniffing >> Author(s) : A. Barth, I. Hickson >> Filename : draft-ietf-websec-mime-sniff-03.txt >> Pages : 24 >> Date : 2011-05-07 >> ... >
- [websec] I-D Action:draft-ietf-websec-mime-sniff-… Internet-Drafts
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Julian Reschke
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Alexey Melnikov
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Martin J. Dürst
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Adam Barth
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Phillip Hallam-Baker
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Tobias Gondrom
- Re: [websec] I-D Action:draft-ietf-websec-mime-sn… Bjoern Hoehrmann