仕様書

歴史

IE8

  • [4] IE8 Security Part V: Comprehensive Protection - IEBlog - Site Home - MSDN Blogs ( 版) http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
  • [5] IE8 Security Part VI: Beta 2 Update - IEBlog - Site Home - MSDN Blogs ( 版) http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
  • [12] Google Image Search and IE9 Beta - IEInternals - Site Home - MSDN Blogs ( 版) http://blogs.msdn.com/b/ieinternals/archive/2010/09/27/ie9-beta-google-image-search-javascript-content-type-and-nosniff.aspx
  • [7] MIME-Handling Changes in Internet Explorer - IEBlog - Site Home - MSDN Blogs ( 版) http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx
  • [9] MIME-Handling Change: X-Content-Type-Options: nosniff (Windows) ( 版) http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
  • [10] Hosting - Google Chrome ( 版) http://developer.chrome.com/extensions/hosting.html
  • [1] IRC logs: freenode / #whatwg / 20090129 ( 版) http://krijnhoetmer.nl/irc-logs/whatwg/20090129#l-594
  • [2] HTTP ヘッダーに X-Content-Type-Options: nosniff を追加 ( 版) http://sqljp.com/yoshihirokawabata/archive/2009/03/30/26466.aspx

WHATWG

  • [8] 471020 – Add X-Content-Type-Options: nosniff support to Firefox ( 版) https://bugzilla.mozilla.org/show_bug.cgi?id=471020
  • [11] Issue 95901 - chromium - Consider implementing <script> MIME restrictions for X-Content-Type-Options: nosniff - An open-source browser project to help move the web forward. - Google Project Hosting ( 版) http://code.google.com/p/chromium/issues/detail?id=95901
  • [3] [whatwg] [mimesniff] The X-Content-Type-Options header ( ( 版)) http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-November/037974.html

テスト・ケース

[13] IRC logs: freenode / #whatwg / 20121116 ( ( 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20121116#l-1076

[14] チェンジセット 141985 – WebKit ( ( 版)) http://trac.webkit.org/changeset/141985

[15] [whatwg] [mimesniff] First pass at speccing the X-Content-Type-Options header ( ( 版)) http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-May/039561.html

[16] MIME Sniffing Standard ( ( 版)) http://mimesniff.spec.whatwg.org/#determining-the-supplied-mime-type-of-a-resource

[17] X-Content-Type-Options: nosniff (Anne van Kesteren 著, 版) https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0004.html

[18] First draft of X-Content-Type-Options: nosniff. Fixes #35 · whatwg/fetch@cde532c ( 版) https://github.com/whatwg/fetch/commit/cde532c00f410f44edb1f56f8aaa174bfedb16be

[19] Standardize "nosniff" · Issue #35 · whatwg/fetch ( 版) https://github.com/whatwg/fetch/issues/35

[20] 1150897 – Implement fetch "nosniff" spec changes ( 版) https://bugzilla.mozilla.org/show_bug.cgi?id=1150897

[21] 471020 – Add X-Content-Type-Options: nosniff support to Firefox ( 版) https://bugzilla.mozilla.org/show_bug.cgi?id=471020

[22] script 要素ワーカーコンストラクターimportScriptsMIME型を無視して JavaScript として扱います。これを防ぐには X-Content-Type-Options: nosniff を使うしかありません。

[32] Remove X-Content-Type-Options as it's defined by Fetch (annevk著, ) https://github.com/whatwg/mimesniff/commit/64bfe025012be3ded16ac4978844acc0e8dfec3c

[23] Mitigating MIME Confusion Attacks in Firefox | Mozilla Security Blog () https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/

Starting with Firefox 50, Firefox will reject stylesheets, images or scripts if their MIME type does not match the context in which the file is loaded if the server sends the response header “X-Content-Type-Options: nosniff” (view specification). More precisely, if the Content-Type of a file does not match the context (see detailed list of accepted Content-Types for each format underneath) Firefox will block the file, hence prevent such MIME confusion attacks and will display the following message in the console:

[24] Mitigating MIME Confusion Attacks in Firefox | Mozilla Security Blog () https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/

Valid Content-Types for Stylesheets:

– “text/css”

Valid Content-Types for images:

– have to start with “image/”

Valid Content-Types for Scripts:

– “application/javascript”

– “application/x-javascript”

– “application/ecmascript”

– “application/json”

– “text/ecmascript”

– “text/javascript”

– “text/json”

[25] 1302539 – X-Content-Type-Options: nosniff breaks this page in Firefox but not in Chrome () https://bugzilla.mozilla.org/show_bug.cgi?id=1302539

[26] >>25 Hixie の予言通りのことが起こったわけですな。。。

[27] IRC logs: freenode / #whatwg / 20080903 () http://krijnhoetmer.nl/irc-logs/whatwg/20080903#l-573

# [11:52] <Hixie> i can't wait for X-Content-Type-Options: nosniff-seriously

# [11:53] <Hixie> and X-Content-Type-Options: nosniff-pleeeease-please-i-mean-it-this-time-really

[28] Only use nosniff for "script" and "style" (annevk著, ) https://github.com/whatwg/fetch/commit/169de91ca9fa3ab91a860bc492caf5fa94c29592

[29] Stop lowercasing header names (annevk著, ) https://github.com/whatwg/fetch/commit/5869c43a27fff06c6dfc228fe1288018f7f2168d

[30] Breaking: redo value parsing as value extraction (annevk著, ) https://github.com/whatwg/fetch/commit/68a986772901fe74f666f76a389dbc56cac1ad21

[31] Abusing JSONP with Rosetta Flash ( (Michele Spagnuolo著, )) https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Furthermore, to hinder this attack vector in most modern browsers you can also return the HTTP header X-Content-Type-Options: nosniff. If the JSONP endpoint returns a Content-Type which is not application/x-shockwave-flash (usually application/javascript or application/json), Flash Player will refuse to execute the SWF.

[34] Chromebinary data bytes の検査を実装していますが、 Firefox は実装していないようにみえます。

[35] navigate 時の sniffingX-Content-Type-Options:Chrome は反映させますが (削除前の MIME Sniffing Standard の動作)、 Firefox は反映させません。

[36] MIME Sniffing Standard の昔の規定に従えば X-Content-Type-Options: nosniff が指定されていても Content-Type: が指定されていない場合は binary data bytes の検査が行われるはずですが、 Chrome は行いません (text/plain とします)。

[37] Fold request type into destination (annevk著, ) https://github.com/whatwg/fetch/commit/d7052e2b6d24d04caa2cea8ef664923ecdb1e35c

[38] Meltdown/Spectre  |  Web  |  Google Developers () https://developers.google.com/web/updates/2018/02/meltdown-spectre

[39] CORB: protecting certain nosniff and 206 responses (anforowicz著, ) https://github.com/whatwg/fetch/commit/794dd5452705564538440cc5b2c1f13d909e2f9a

[40] CORB: protecting certain nosniff and 206 responses (anforowicz著, ) https://github.com/whatwg/fetch/commit/794dd5452705564538440cc5b2c1f13d909e2f9a

[41] CORB: blocking of nosniff and 206 responses by anforowicz · Pull Request #686 · whatwg/fetch () https://github.com/whatwg/fetch/pull/686

[42] CORB: blocking of nosniff and 206 responses by anforowicz · Pull Request #686 · whatwg/fetch () https://github.com/whatwg/fetch/pull/686

[43] Define parsing for X-Content-Type-Options: nosniff in detail (annevk著, ) https://github.com/whatwg/fetch/commit/32c7b1c76a43ea96b8663628b891b339553ae114

[44] What does "combined value" return for a name not in the header list? · Issue #752 · whatwg/fetch () https://github.com/whatwg/fetch/issues/752

[45] Define parsing for X-Content-Type-Options in detail by annevk · Pull Request #818 · whatwg/fetch () https://github.com/whatwg/fetch/pull/818

[46] Define parsing for X-Content-Type-Options in detail by annevk · Pull Request #818 · whatwg/fetch () https://github.com/whatwg/fetch/pull/818

[47] Define the Content-Type header parser (annevk著, ) https://github.com/whatwg/fetch/commit/0b2bc05b2550dcbefe1321ea3e8026702514a798