IETF Logo Mail Archive

Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt

Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 28 September 2011 23:13 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC8F1F0C4B for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:13:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.465
X-Spam-Level:
X-Spam-Status: No, score=-96.465 tagged_above=-999 required=5 tests=[AWL=0.313, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHv0FzFrkxdQ for <websec@ietfa.amsl.com>; Wed, 28 Sep 2011 16:13:42 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 692F821F8C31 for <websec@ietf.org>; Wed, 28 Sep 2011 16:13:36 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=PZZSk5XaM+QqiNnISHDmF28MEopXNPeD5m8ZvLJJvHKmHDVGDZ9P4zjkCJZitJigVA7zuJGfBORQEqBL02q6l2KXxQPb2Ws1aEdQLOkep6RjWzB3xgs+HYmjW/BMKTJs; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 30341 invoked from network); 29 Sep 2011 01:15:37 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.65?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 29 Sep 2011 01:15:37 +0200
Message-ID: <4E83AA99.6080308@gondrom.org>
Date: Thu, 29 Sep 2011 00:15:37 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20110906 Thunderbird/6.0.2
MIME-Version: 1.0
To: websec@ietf.org
References: <20110508004502.3883.40670.idtracker@ietfa.amsl.com> <4E7DB8E4.9040208@gmx.de>
In-Reply-To: <4E7DB8E4.9040208@gmx.de>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [websec] I-D Action:draft-ietf-websec-mime-sniff-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 23:13:42 -0000

Hello,

although this has been around for a while, just stumbled again over this 
http header when I analysed the bits on the wire of some web applications:

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. 
The header instructs the browser not to override the response content 
type. For example, some browsers try to be smart by deciding for 
themselves if the content is really is text/html or an image. So with 
the nosniff option, if the server says the content is text/html, then 
the browser needs to render it as text/html.

Is this something we should mention in mime-sniff or even consider to 
encourage?

Kind regards, Tobias


> On 2011-05-08 02:45, Internet-Drafts@ietf.org wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts 
>> directories.
>> This draft is a work item of the Web Security Working Group of the IETF.
>>
>>
>> Title : Media Type Sniffing
>> Author(s) : A. Barth, I. Hickson
>> Filename : draft-ietf-websec-mime-sniff-03.txt
>> Pages : 24
>> Date : 2011-05-07
>> ...
>

v2.23.0 | Report a Bug | By Email