Closed domenic closed 3 years ago
annevk
commented
6 years ago Yeah, sending X-Content-Type-Options for all makes sense. (There's also a gap in the specification I found out the other day as apparently some browsers use it for navigation too.)
annevk
commented
6 years ago And surely X-XSS-Protection would be relevant for SVG containing script?
domenic
commented
6 years ago I dunno, I guess there's no spec for them, so it's unclear if browsers would process them on SVGs.
alrra
commented
6 years ago sending X-Content-Type-Options for all makes sense.
@annevk sonarwhal used to do that, but then things were changed to only recommend it for scripts and stylesheets because of the reasons specified in the docs, namely:
Note: Modern browsers only respect the header for scripts and stylesheets, and sending the header for other resources such as images may create problems in older browsers.
Maybe this will change with CORB though?
Yes.
(There's also a gap in the specification I found out the other day as apparently some browsers use it for navigation too.)
@annevk Can you provide more information (or a link)? Thanks!
@annevk, @domenic I'm one of the maintainers of the sonarwhal project, so if you have any other feedback, let me know! I'll happily change what sonarwhal suggests if something is not accurate.
annevk
commented
6 years ago @alrra
HTTP/1.1 200 OK
Content-Type: garbage
X-Content-Type-Options: nosniff
<?xml version="1.0"?><test/>Test that with and without the header and notice the difference. (Note that this behavior is not standardized.)
annevk
commented
6 years ago (Also, sending it for other resources does not create problems. What creates problems is if you send it for resources that are not correctly labeled.)
alrra
commented
6 years ago What creates problems is if you send it for resources that are not correctly labeled.
@annevk Yes, that's was the intend, but I can see the confusion. I've updated to docs to make them more clear, thanks!
Test that with and without the header and notice the difference.
Thanks!
rugk
commented
5 years ago Actually also "HTML" can be a malicious mime type, as it can obviously embed JS. (Maybe also other types such as SVG?)
See https://www.youtube.com/watch?v=dBJt3eR8-bg for a talk by @hannob on that subject.
Also is not this issue basically a dupe of https://github.com/webhintio/hint/issues/1221 now? Or what is still to be discussed here? (Is not it fixed by https://github.com/webhintio/hint/commit/5c798f533b06675947b783384e4473153bb81172 or what was actually the purpose of this issue?)
annevk
commented
5 years ago @rugk whatwg/misc-server is for issues with WHATWG's server setup. I doubt webhintio/hint has access to our keys to make the relevant changes.
rugk
commented
5 years ago Ugh… yeah…
So you still serve the header for all assets? And here is the reasoning as I see it: https://github.com/webhintio/hint/commit/5c798f533b06675947b783384e4473153bb81172
So is there still something to do in this issue? Or do you want to wait whether browsers change their decisions about what mime types?
Actually I only came here because it is linked on MDN.
nosniff only applies to "script" and "style" types (this restriction may change in the future).
Though I do not see how that link would be fitting here. After all, you are not discussion or indicating browsers may change their decision here or what? Now I am totally confused… :confused:
annevk
commented
5 years ago This issue is not exclusively about nosniff.
rugk
commented
5 years ago So the link on MDN makes no sense…
annevk
commented
3 years ago I guess we can close this now.
Based on https://sonarwhal.com/scanner/82d0ae4e-aa8d-4b9b-9d32-24c1b0817136