W3C home > Mailing lists > Public > public-html@w3.org > August 2007

Re: review of content type rules by IETF/HTTP community

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 21 Aug 2007 19:10:42 -0700
Cc: Ian Hickson <ian@hixie.ch>, public-html@w3.org
Message-Id: <8F39DC52-7790-4F5E-92B9-AA1308E37AD5@apple.com>
To: Roy T. Fielding <fielding@gbiv.com>


On Aug 21, 2007, at 5:34 PM, Roy T. Fielding wrote:

> On Aug 21, 2007, at 4:02 PM, Maciej Stachowiak wrote:
>> The sniffing behavior in HTML5 is not orthogonal to the rest of the  
>> spec. It depends on the loading context. <iframe src="gif-sent-with- 
>> text-plain-type.txt"> will have different results than <img  
>> src="gif-sent-with-text-plain-type.txt">. This is necessary both  
>> for compatibility and to minimize the scope of the content sniffing.
>
> No, it just guarantees that intermediaries (which have no idea of the
> context) will always have a different sniffing algorithm than the
> browsers.  Brilliant.  Are there any other security holes in MSIE you
> want to make standard?

Can you clarify how it is a security hole to treat something as either  
a GIF image or unknown binary data in different contexts, when the  
server incorrectly reports it to be text/plain? The vulnerability is  
not obvious to me.

Regards,
Maciej
Received on Wednesday, 22 August 2007 02:10:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:04 GMT