W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [widgets] Content-type sniffing and file extension to MIME mapping

From: Bil Corry <bil@corry.biz>
Date: Sat, 29 Nov 2008 23:44:17 -0600
Message-ID: <49322831.6080006@corry.biz>
To: public-webapps <public-webapps@w3.org>

Marcos Caceres wrote on 11/29/2008 9:39 AM: 
> I had a discussion with Henri Sivonen and a few other people in the
> HTML-WG about using HTML5's content-type sniffing as a way of deriving
> the MIME type of files inside a widget package. Henri suggested that
> we should primarily rely on file extensions as a way of mapping files
> to MIME types. Although relying on extensions can be potentially
> unreliable, it seems like a simple solution to a complicated problem.

Content-sniffing can pose it's own problems, here's one example:

	http://www.gnucitizen.org/blog/backdooring-images/


> For the spec, I guess  it would mean including a table of file
> extension to MIME type mappings into the spec for common IANA
> registered types (MIME type registrations list file extensions).

The Apache (httpd) project includes a file called "mime.types" that maps file extensions to MIME types.  I haven't seen anything more extensive than Apache's.


> As a
> second line of defense, if there is no file extension, or the file
> extension does not map to the file extension to MIME table, then HTML
> content-type sniffing heuristics can be used.

This paper describes how the major browsers do it:

	http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

Firefox specifically appears to do it the way you're proposing here.


- Bil
Received on Sunday, 30 November 2008 05:45:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT