
Nosniff header support coming to Chrome and Firefox - geetarista
https://github.com/blog/1482-heads-up-nosniff-header-support-coming-to-chrome-and-firefox
======
ryankshaw
since they are disabling this, it would be nice if they provided a URL that
you could hot-link to that just gets served from CDN and only updates every 5
minutes or so. best of both worlds: they dont need to have it hit their full
stack on every request, and I can make a jsperf using <script
src="//cdn.github.com/documentcloud/underscore/master/underscore.js">

~~~
croddin
That is similar to what github pages is. The limitation is just that the file
must be in github pages and you can only get to the current file in the gh-
pages branch.

[https://raw.github.com/documentcloud/underscore/master/under...](https://raw.github.com/documentcloud/underscore/master/underscore-
min.js)

won't work but

<http://documentcloud.github.io/underscore/underscore-min.js>

will.

Also it looks like there is already a workaround to get to raw pages:
<https://rawgithub.com/>

------
nijiko
Which ruins quick iterated testing for jsfiddle and jsbin using gist.

~~~
mistercow
There are a couple of ways that it can be worked around for jsfiddle (assuming
you use the "External Resources" tab). One is to pull the file in through an
AJAX request and then eval the result. The other is for the backend to pull
the script and serve it with headers stripped. The latter approach would be
preferable, because then they can use a reasonable caching strategy and not
drain github's resources.

------
nodesocket
Correct me if I am wrong, but wouldn't the nginx directive `valid_referers`
(<http://wiki.nginx.org/HttpRefererModule#valid_referers>) prevent hot-
linking?

~~~
mastahyeti
It would, but it would create other problems also. If I were to link to a
raw.github.com URL on HN, it would be disallowed because the Referer header
would be "incorrect".

~~~
Amadou
Not to mention the fact that referrers are an optional part of the http spec,
so requiring them is bad form to begin with.

------
ck2
Any downside to just adding this to add responses from a server?

Only problem I could see is if some images were sent with wrong mime types (or
none at all).

------
twic
Can this be paraphrased as "our architecture for serving raw views is
terrible, so we took a feature away from our users"?

