[13] IRC logs: freenode / #whatwg / 20121116 ( ( 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20121116#l-1076
[14] チェンジセット 141985 – WebKit ( ( 版)) http://trac.webkit.org/changeset/141985
[15] [whatwg] [mimesniff] First pass at speccing the X-Content-Type-Options header ( ( 版)) http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-May/039561.html
[16] MIME Sniffing Standard ( ( 版)) http://mimesniff.spec.whatwg.org/#determining-the-supplied-mime-type-of-a-resource
[17] X-Content-Type-Options: nosniff (Anne van Kesteren 著, 版) https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0004.html
[18] First draft of X-Content-Type-Options: nosniff. Fixes #35 · whatwg/fetch@cde532c ( 版) https://github.com/whatwg/fetch/commit/cde532c00f410f44edb1f56f8aaa174bfedb16be
[19] Standardize "nosniff" · Issue #35 · whatwg/fetch ( 版) https://github.com/whatwg/fetch/issues/35
[20] 1150897 – Implement fetch "nosniff" spec changes ( 版) https://bugzilla.mozilla.org/show_bug.cgi?id=1150897
[21] 471020 – Add X-Content-Type-Options: nosniff support to Firefox ( 版) https://bugzilla.mozilla.org/show_bug.cgi?id=471020
[22] script 要素やワーカーコンストラクターや
importScripts はMIME型を無視して JavaScript
として扱います。これを防ぐには X-Content-Type-Options: nosniff
を使うしかありません。
[32] Remove X-Content-Type-Options as it's defined by Fetch (annevk著, ) https://github.com/whatwg/mimesniff/commit/64bfe025012be3ded16ac4978844acc0e8dfec3c
Starting with Firefox 50, Firefox will reject stylesheets, images or scripts if their MIME type does not match the context in which the file is loaded if the server sends the response header “X-Content-Type-Options: nosniff” (view specification). More precisely, if the Content-Type of a file does not match the context (see detailed list of accepted Content-Types for each format underneath) Firefox will block the file, hence prevent such MIME confusion attacks and will display the following message in the console:
Valid Content-Types for Stylesheets:
– “text/css”
Valid Content-Types for images:
– have to start with “image/”
Valid Content-Types for Scripts:
– “application/javascript”
– “application/x-javascript”
– “application/ecmascript”
– “application/json”
– “text/ecmascript”
– “text/javascript”
– “text/json”
[25] 1302539 – X-Content-Type-Options: nosniff breaks this page in Firefox but not in Chrome () https://bugzilla.mozilla.org/show_bug.cgi?id=1302539
[26] >>25 Hixie の予言通りのことが起こったわけですな。。。
# [11:52] <Hixie> i can't wait for X-Content-Type-Options: nosniff-seriously
# [11:53] <Hixie> and X-Content-Type-Options: nosniff-pleeeease-please-i-mean-it-this-time-really
[28] Only use nosniff for "script" and "style" (annevk著, ) https://github.com/whatwg/fetch/commit/169de91ca9fa3ab91a860bc492caf5fa94c29592
[29] Stop lowercasing header names (annevk著, ) https://github.com/whatwg/fetch/commit/5869c43a27fff06c6dfc228fe1288018f7f2168d
[30] Breaking: redo value parsing as value extraction (annevk著, ) https://github.com/whatwg/fetch/commit/68a986772901fe74f666f76a389dbc56cac1ad21
Furthermore, to hinder this attack vector in most modern browsers you can also return the HTTP header X-Content-Type-Options: nosniff. If the JSONP endpoint returns a Content-Type which is not application/x-shockwave-flash (usually application/javascript or application/json), Flash Player will refuse to execute the SWF.
[34] Chrome は binary data bytes の検査を実装していますが、 Firefox は実装していないようにみえます。
[35] navigate 時の sniffing に X-Content-Type-Options:
を Chrome は反映させますが (削除前の MIME Sniffing Standard の動作)、
Firefox は反映させません。
[36] MIME Sniffing Standard の昔の規定に従えば
X-Content-Type-Options: nosniff が指定されていても
Content-Type: が指定されていない場合は
binary data bytes の検査が行われるはずですが、
Chrome は行いません
(text/plain とします)。
[37] Fold request type into destination (annevk著, ) https://github.com/whatwg/fetch/commit/d7052e2b6d24d04caa2cea8ef664923ecdb1e35c
[38] Meltdown/Spectre | Web | Google Developers () https://developers.google.com/web/updates/2018/02/meltdown-spectre
[39] CORB: protecting certain nosniff and 206 responses (anforowicz著, ) https://github.com/whatwg/fetch/commit/794dd5452705564538440cc5b2c1f13d909e2f9a
[40] CORB: protecting certain nosniff and 206 responses (anforowicz著, ) https://github.com/whatwg/fetch/commit/794dd5452705564538440cc5b2c1f13d909e2f9a
[41] CORB: blocking of nosniff and 206 responses by anforowicz · Pull Request #686 · whatwg/fetch () https://github.com/whatwg/fetch/pull/686
[42] CORB: blocking of nosniff and 206 responses by anforowicz · Pull Request #686 · whatwg/fetch () https://github.com/whatwg/fetch/pull/686
[43] Define parsing for X-Content-Type-Options: nosniff in detail (annevk著, ) https://github.com/whatwg/fetch/commit/32c7b1c76a43ea96b8663628b891b339553ae114
[44] What does "combined value" return for a name not in the header list? · Issue #752 · whatwg/fetch () https://github.com/whatwg/fetch/issues/752
[45] Define parsing for X-Content-Type-Options in detail by annevk · Pull Request #818 · whatwg/fetch () https://github.com/whatwg/fetch/pull/818
[46] Define parsing for X-Content-Type-Options in detail by annevk · Pull Request #818 · whatwg/fetch () https://github.com/whatwg/fetch/pull/818
[47] Define the Content-Type header parser (annevk著, ) https://github.com/whatwg/fetch/commit/0b2bc05b2550dcbefe1321ea3e8026702514a798