MIME sniffing

[mnot]

7231 says:

In practice, resource owners do not always properly configure their origin server to provide the correct Content-Type for a given representation, with the result that some clients will examine a payload's content and override the specified type. Clients that do so risk drawing incorrect conclusions, which might expose additional security risks (e.g., "privilege escalation"). Furthermore, it is impossible to determine the sender's intent by examining the data format: many data formats match multiple media types that differ only in processing semantics. Implementers are encouraged to provide a means of disabling such "content sniffing" when it is used.

It seems like this should at least mention:

• MIME sniffing
• x-content-type-options: nosniff

[royfielding]

As mentioned in the PR, it makes sense here to reference MIME Sniffing as that is responsive to the entire paragraph. However, X-CTO is neither a standard nor recommended in practice, and falls into a "no I really mean it" example rather than a means for the user to disable sniffing. I have updated the PR accordingly.

[annevk]

X-Content-Type-Options is definitely recommended to some extent, it's the only way to avoid a certain set of issues.

[mcmanus]

ietf104: no interest in mentioning xcto explicitly