http-extensions icon indicating copy to clipboard operation
http-extensions copied to clipboard
verified publisher icon httpwg

Retrofit: X-Content-Type-Options is a list, not an item

Open lidaobing opened this issue 11 months ago • 0 comments

Reason:

  1. The standard for X-Content-Type-Options is specified in the Fetch Standard, which treats it as a list (currently with only one valid option).

https://fetch.spec.whatwg.org/#x-content-type-options-header

To determine nosniff, given a header list list, run these steps:

  1. Let values be the result of getting, decoding, and splitting [X-Content-Type-Options](https://fetch.spec.whatwg.org/#http-x-content-type-options) from list.
  2. If values is null, then return false.
  3. If values[0] is an ASCII case-insensitive match for "nosniff", then return true.
  4. Return false.
  1. Some websites, such as IANA, use multiple X-Content-Type-Options headers. Example:
$ curl -si https://www.iana.org/help/example-domains | grep -i x-content
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
  1. The field name is X-Content-Type-Options, not X-Content-Type-Option, implying that there is a possibility of adding more options to this field in the future.

Thanks,

lidaobing avatar Jan 19 '25 14:01 lidaobing