Component: DOM: Core & HTML → Security
QA Contact: general → toolkit
I'll take this. dynamis, thanks for reporting, but I would encourage you to hold off on filing not-implemented-per-spec bugs just yet. I only say this, as I've seen you CC yourself on a number of CSP implementation bugs and I want to save you the time. The "spec" is still in flux and there are a number of known disparities between the Gecko implementation and what's in the "spec", which is still in Unofficial Draft status. I do appreciate you filing this bug, though. Incidentally, we may want to expand the list of allowed MIME types beyond the two listed here.
Assignee: nobody → bsterne
Component: Security → DOM: Core & HTML
QA Contact: toolkit → general
Brandon - do you know why this was dropped from the CSP spec?
This requirement was taken out of the spec in Nov 2011 https://dvcs.w3.org/hg/content-security-policy/rev/76f67cf1e5ad Hopefully we can get something like it back in because the current behavior is potentially dangerous (e.g. bug 722547).
I'm WONTFIXING this. You can get stricter MIME type checking by using X-Content-Type-Options. If you want that to be CSP controlled I recommend filing a specification issue first.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.