Closed domenic closed 3 years ago
Yeah, sending X-Content-Type-Options
for all makes sense. (There's also a gap in the specification I found out the other day as apparently some browsers use it for navigation too.)
And surely X-XSS-Protection
would be relevant for SVG containing script?
I dunno, I guess there's no spec for them, so it's unclear if browsers would process them on SVGs.
sending X-Content-Type-Options for all makes sense.
@annevk sonarwhal
used to do that, but then things were changed to only recommend it for scripts
and stylesheets
because of the reasons specified in the docs, namely:
Note: Modern browsers only respect the header for scripts and stylesheets, and sending the header for other resources such as images may create problems in older browsers.
Maybe this will change with CORB though?
Yes.
(There's also a gap in the specification I found out the other day as apparently some browsers use it for navigation too.)
@annevk Can you provide more information (or a link)? Thanks!
@annevk, @domenic I'm one of the maintainers of the sonarwhal
project, so if you have any other feedback, let me know! I'll happily change what sonarwhal
suggests if something is not accurate.
@alrra
HTTP/1.1 200 OK
Content-Type: garbage
X-Content-Type-Options: nosniff
<?xml version="1.0"?><test/>
Test that with and without the header and notice the difference. (Note that this behavior is not standardized.)
(Also, sending it for other resources does not create problems. What creates problems is if you send it for resources that are not correctly labeled.)
What creates problems is if you send it for resources that are not correctly labeled.
@annevk Yes, that's was the intend, but I can see the confusion. I've updated to docs to make them more clear, thanks!
Test that with and without the header and notice the difference.
Thanks!
Actually also "HTML" can be a malicious mime type, as it can obviously embed JS. (Maybe also other types such as SVG?)
See https://www.youtube.com/watch?v=dBJt3eR8-bg for a talk by @hannob on that subject.
Also is not this issue basically a dupe of https://github.com/webhintio/hint/issues/1221 now? Or what is still to be discussed here? (Is not it fixed by https://github.com/webhintio/hint/commit/5c798f533b06675947b783384e4473153bb81172 or what was actually the purpose of this issue?)
@rugk whatwg/misc-server is for issues with WHATWG's server setup. I doubt webhintio/hint has access to our keys to make the relevant changes.
Ugh… yeah…
So you still serve the header for all assets? And here is the reasoning as I see it: https://github.com/webhintio/hint/commit/5c798f533b06675947b783384e4473153bb81172
So is there still something to do in this issue? Or do you want to wait whether browsers change their decisions about what mime types?
Actually I only came here because it is linked on MDN.
nosniff only applies to "script" and "style" types (this restriction may change in the future).
Though I do not see how that link would be fitting here. After all, you are not discussion or indicating browsers may change their decision here or what? Now I am totally confused… :confused:
This issue is not exclusively about nosniff.
So the link on MDN makes no sense…
I guess we can close this now.
Based on https://sonarwhal.com/scanner/82d0ae4e-aa8d-4b9b-9d32-24c1b0817136