W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [widgets] Content-type sniffing and file extension to MIME mapping

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 30 Nov 2008 06:04:43 +0000 (UTC)
To: Bil Corry <bil@corry.biz>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0811300602040.17401@hixie.dreamhostps.com>

On Sat, 29 Nov 2008, Bil Corry wrote:
> Marcos Caceres wrote on 11/29/2008 9:39 AM: 
> > I had a discussion with Henri Sivonen and a few other people in the
> > HTML-WG about using HTML5's content-type sniffing as a way of deriving
> > the MIME type of files inside a widget package. Henri suggested that
> > we should primarily rely on file extensions as a way of mapping files
> > to MIME types. Although relying on extensions can be potentially
> > unreliable, it seems like a simple solution to a complicated problem.
> 
> Content-sniffing can pose it's own problems, here's one example:
> 
> 	http://www.gnucitizen.org/blog/backdooring-images/

Content-sniffing providing privilege escalation is a problem, as is 
non-interoperable content-sniffing. However, assuming you define the 
content-sniffing to not have any privilege escalations, and assuming that 
all implementations implement the same thing, there's no problem.

Note also that none of this applies to widgets, since the user has already 
given them as full a set of privileges as would be possible to obtain 
through content-sniffing.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 30 November 2008 06:05:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT