[Bug 12390] A sandboxed MIME type attribute would be better than a fully qualified MIME type from bugzilla@jessica.w3.org on 2011-05-09 (public-html-bugzilla@w3.org from May 2011)

From: <bugzilla@jessica.w3.org>
Date: Mon, 09 May 2011 18:45:59 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QJVSx-00083l-Mi@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390

Adam Barth <w3c@adambarth.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |w3c@adambarth.com

--- Comment #1 from Adam Barth <w3c@adambarth.com> 2011-05-09 18:45:58 UTC ---
The reason to use the MIME type is to get fail-closed behavior in legacy user
agents.  My understanding is that having a MIME parameter defeats that goal. 
If we want fail-open, then we can use something like Content-Security-Policy to
deliver a sandbox directive.

Note: Using the MIME type does not fail-closed in 100% of situations.  There
are a couple ways you can trick IE6 into failing open, even with a sandboxed
MIME type, due to the lax content sniffing behavior in IE6.  As IE6 become less
relevant, however, this issue probably matters less.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Monday, 9 May 2011 18:46:01 UTC