W3C home > Mailing lists > Public > public-html@w3.org > July 2010

Re: video/@src vs application/octet-stream

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 19 Jul 2010 11:29:31 -0700
Message-ID: <AANLkTikceh8KLHWq_pfx3e0_lsdP16rTKKlVL9LYoZv3@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Maciej Stachowiak <mjs@apple.com>, Boris Zbarsky <bzbarsky@mit.edu>, "public-html@w3.org" <public-html@w3.org>
On Mon, Jul 19, 2010 at 11:20 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 19.07.2010 20:09, Maciej Stachowiak wrote:
>> For Safari/WebKit, we wanted to make it possible for the<video>  element
>> to play content that was previously embedded via the QuickTime plugin or
>> other plugins we support. Unfortunately, a fair proportion of such content
>> is being served with the wrong MIME type, most typically
>> application/octet-stream but sometimes also text/plain. We thought it might
>> create too high a barrier, if authors had to reconfigure their Web servers
>> before they could switch from the QuickTime plugin to<video>.
>
> Thanks for the feedback.
>
> So, does this make Safari non-compliant? It appears so, as
> draft-abarth-mime-sniff doesn't mention sniffing for video, and the spec
> text about video/@src doesn't seem to make an exception.

>From http://tools.ietf.org/html/draft-abarth-mime-sniff-05#section-5:

[[
   User agents MAY support additional types if necessary, by implicitly
   adding to the above table.  However, user agents SHOULD NOT not use
   any other patterns for types already mentioned in the table above
   because this could then be used for privilege escalation (where,
   e.g., a server uses the above table to determine that content is not
   HTML and thus safe from cross-site scripting attacks, but then a user
   agent detects it as HTML anyway and allows script to execute).  In
   extending this table, user agents SHOULD NOT introduce any privilege
   escalation vulnerabilities.
]]

However, what matters is not a legalistic reading of the
specifications.  What matters is the market forces.  If you don't want
browsers to sniff video (or some future type for some future API), you
need to change the underlying incentive structure.

Adam
Received on Monday, 19 July 2010 18:30:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:10 GMT