HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
1226[Conformance Checkers] [Gecko] [Internet Explorer] [Opera] [Webkit] [Tools] Make the content-type sniffing for browsing context navigation optional when the Content-Type metadata is present.2008-02-14 21:38
@@ -27009,20 +27009,31 @@ user reload must be equivalent to .reload()
   thus benign), but a Web browser believes the content to be HTML (and
   thus capable of executing script), the end user can be exposed to
   malicious content, making the user vulnerable to cookie theft
   attacks and other cross-site scripting attacks.</p>
 
   <p>The <dfn title="Content-Type sniffing">sniffed type of a
   resource</dfn> must be found as follows:</p>
 
   <ol>
 
+   <li><p>Let <var title="">official type</var> be the type given by
+   the <span title="Content-Type">Content-Type metadata</span> for the
+   resource (in lowercase<!-- XXX ASCII case folding -->, ignoring any
+   parameters). If there is no such type, jump to the <em
+   title="content-type sniffing: unknown type">unknown type</em> step
+   below.</p></li>
+
+   <li><p>If the user agent is configured to strictly obey
+   Content-Type headers for this resource, then jump to the last step
+   in this set of steps.</p></li>
+
    <li><p>If the resource was fetched over an HTTP protocol, and there
    is no HTTP Content-Encoding header, but there is an HTTP
    Content-Type header and it has a value whose bytes exactly match
    one of the following three lines:</p>
 
     <table>
      <thead>
       <tr>
        <th>Bytes in Hexadecimal
        <th>Textual representation
@@ -27036,27 +27047,20 @@ user reload must be equivalent to .reload()
       <tr> <!-- Debian's arbitrarily different Modern Apache default -->
        <td>74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31
        <td><code title="">text/plain;&nbsp;charset=iso-8859-1</code>
     </table>
 
     <p>...then jump to the <em title="content-type sniffing: text or
     binary">text or binary</em> section below.</p>
 
    </li>
 
-   <li><p>Let <var title="">official type</var> be the type given by
-   the <span title="Content-Type">Content-Type metadata</span> for the
-   resource (in lowercase<!-- XXX ASCII case folding -->, ignoring any
-   parameters). If there is no such type, jump to the <em
-   title="content-type sniffing: unknown type">unknown type</em> step
-   below.</p></li>
-
    <li><p>If <var title="">official type</var> is "unknown/unknown" or
    "application/unknown", jump to the <em title="content-type
    sniffing: unknown type">unknown type</em> step below.</p></p>
    <!-- In a study looking at many billions of pages whose first five
    characters were "<HTML", "unknown/unknown" was used to label
    documents about once for every 5000 pages labelled "text/html", and
    "application/unknown" was used about once for every 35000 pages
    labelled "text/html". -->
 
    <li><p>If <var title="">official type</var> ends in "+xml", or if
@@ -27067,22 +27071,22 @@ user reload must be equivalent to .reload()
 
    <li><p>If <var title="">official type</var> is an image type
    supported by the user agent (e.g. "image/png", "image/gif",
    "image/jpeg", etc), then jump to the <em title="content-type
    sniffing: image">images</em> section below.</p></li>
 
    <li><p>If <var title="">official type</var> is "text/html", then
    jump to the <em title="content-type sniffing: feed or html">feed or
    HTML</em> section below.</p></li>
 
-   <li><p>Otherwise, the sniffed type of the resource is <var
-   title="">official type</var>.</p></li>
+   <li><p>The sniffed type of the resource is <var title="">official
+   type</var>.</p></li>
 
   </ol>
 
 
   <h4><dfn>Content-Type sniffing: text or binary</dfn></h4>
 
   <ol>
 
    <li><p>The user agent may wait for 512 or more bytes of the resource
    to be available.</p></li>

|