Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Correct. You want to set Content-Type and X-Content-Type-Options.

The story is that in some cases, Internet Explorer could be tricked to ignore the Content-Type header. Instead of fixing the core bug, Microsoft decided to add a header (presumably, they didn’t want to break existing websites). A decade later, people discovered two ways to bypass X-Content-Type-Options. This time, Microsoft fixed the core issue instead of adding X-Content-Type-Options-For-Reals.



Actually when I reported security issues with XCTO:nosniff to Microsoft the answer was something like "well... we don't care, but you can hope that with Edge going to chromium engine things will change". Firefox fixed it eventually.

FWIW background https://www.youtube.com/watch?v=8t8JYpt0egE


> could be tricked to ignore the Content-Type

I think even browser nowadays still do it. A file in <script src="" /> will be treated as script even mime is wrong. A file ended with .mp4 will be play as video even it says it is a text/plain file. Browser guess mime from contents at many places, just you may not notice it.

unless XCTO is set




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: