Sam Ruby: X-Content-Type-Options: nosniff

X-Content-Type-Options: nosniff

Wed 03 Sep 2008 at 12:23

Eric Lawrence: Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.

I ~~can’t~~ can now reproduce this, ~~either~~ with the feeds I care about or and with the testcase provided.

UserAgent sent:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Headers produced:

HTTP/1.1 200 OK
Date: Wed, 03 Sep 2008 12:04:44 GMT
Server: Apache
Last-Modified: Fri, 13 Apr 2007 13:10:42 GMT
ETag: "420214-2d2-3b057880"
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
X-Content-Type-Options: nosniff
Content-Type: text/plain; charset=utf-8
Connection: close

Meanwhile, Safari 3.1.2 (on Mac OSX), Opera 9.52, and Google Chrome gets it right in both cases. Without needing a X-Content-Type-Options header.

Firefox 3.0.1, Safari 3.1.2 (on Windows), ~~and Opera 9.52~~ continue to disappoint.

Update: Reinstalled IE8Beta2, and the tests now pass. Retested Opera 9.52 on both Ubuntu 8.04 and Windows XP, and it too passes (Operator error? Caching problem? Who knows!).

Works for me - the code is displayed in plain text. IE8 Beta 2 in Windows XP Pro SP3.

Are you using Beta 2?

Posted by Franklin Tse at 12:49

Following your testcase link works correctly for me in Firefox 3.0.1 for Windows- the page is displayed as plain text, not rendered as HTML.

Posted by Jason Clark at 13:11

Ahh... but it doesn’t work for your “feeds” link. Forgot to test that.

Posted by Jason Clark at 13:13

[link] Also, both links work fine in Opera 9.50 on Ubuntu for me by the way (render as text).

Posted by Anne van Kesteren at 13:22

Anne: I’ve now retested Opera 9.52, and it does appear to work. I’ve updated the post to reflect that. Thanks!

Also thanks for the link.

Posted by Sam Ruby at 14:13

Ubuntu 9.04. Blimey, you do live on the bleeding edge!

Posted by James Abley at 19:26

Ubuntu 9.04

Oops. Fixed. Thanks!.

Posted by Sam Ruby at 19:27

Opera 9.27 on Ubuntu 8.04 passes.

Posted by Keith Gaughan at 23:03

Opera 9.27 on Ubuntu 8.04 passes.

Posted by Keith Gaughan at 23:04

Sorry about that dupe: OpenID hiccough.

Posted by Keith Gaughan at 23:05

It’s impressive that on day one of the Chrome beta, it’s getting things like this right.

Posted by Scott Johnson at 02:22

I can’t can now reproduce this, either with the feeds I care about or and

This is a terrible headache to read. Just because you can edit a post and play games with strikeout doesn’t mean you should.

Posted by anonymous at 19:24