Standardize "nosniff"

[annevk]

Research:

• https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0004.html
• https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0005.html

Todo:

• Study various other contexts.
• Fix tests to match the web-platform-tests framework.

Tentative plan:

• Define the X-Content-Type-Options header.
• Add a hook in #concept-fetch that checks a response for "nosniff" violations. If there are violations, return a network error instead.
• Write a section that defines the check for "nosniff" violations. Checking the request context against the MIME type if a "nosniff" header is around.

Open issue:

• Might need to annotate the response with a "nosniff" flag of sorts so further checks can be done by special components. E.g. an image decoder might want to reject a GIF with a image/png MIME type (IE11 does this).

[btoews]

👏

[wanderview]

I wrote a gecko bug to implement this for fetch:

https://bugzilla.mozilla.org/show_bug.cgi?id=1150897

Our older general "nosniff" bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=471020

[igrigorik]

@annevk https://tools.ietf.org/html/rfc6648 ... can we drop the X-? /cc @mnot

[annevk]

@igrigorik that would break existing content.

[igrigorik]

Hmm, I guess a broader question then.. For places where we use X-, how do we migrate away from them? Should we add a clause indicating that UA's should look for optionally X- prefixed headers? i.e. X-Thing == Thing?

[annevk]

I think we should just leave it and not add complexity. And in the future avoid inventing X--stuff altogether. E.g. HTML has application/x-www-form-urlencoded and it's doing just fine for close to two decades now.

[mnot]

Yep, that RFC is for new things, not existing things. If you need to make a breaking change on one of those headers, that's your opportunity to change the name, but don't do it just to change the name; that's a worse outcome.