W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [widgets] Content-type sniffing and file extension to MIME mapping

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Wed, 3 Dec 2008 16:37:27 +0000
Message-ID: <b21a10670812030837g186cab73w3c2b910ebbca393@mail.gmail.com>
To: "Bil Corry" <bil@corry.biz>
Cc: public-webapps <public-webapps@w3.org>

Hi Bil,
Sorry, your I accidentally skipped over your email.

On Sun, Nov 30, 2008 at 5:44 AM, Bil Corry <bil@corry.biz> wrote:
>
> Marcos Caceres wrote on 11/29/2008 9:39 AM:
>> I had a discussion with Henri Sivonen and a few other people in the
>> HTML-WG about using HTML5's content-type sniffing as a way of deriving
>> the MIME type of files inside a widget package. Henri suggested that
>> we should primarily rely on file extensions as a way of mapping files
>> to MIME types. Although relying on extensions can be potentially
>> unreliable, it seems like a simple solution to a complicated problem.
>
> Content-sniffing can pose it's own problems, here's one example:
>
>        http://www.gnucitizen.org/blog/backdooring-images/
>

I see.

>
>> For the spec, I guess  it would mean including a table of file
>> extension to MIME type mappings into the spec for common IANA
>> registered types (MIME type registrations list file extensions).
>
> The Apache (httpd) project includes a file called "mime.types" that maps file extensions to MIME types.  I haven't seen anything more extensive than Apache's.
>
>
>> As a
>> second line of defense, if there is no file extension, or the file
>> extension does not map to the file extension to MIME table, then HTML
>> content-type sniffing heuristics can be used.
>
> This paper describes how the major browsers do it:
>
>        http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf
>
> Firefox specifically appears to do it the way you're proposing here.

Thanks for this resource, it was quite useful!


-- 
Marcos Caceres
http://datadriven.com.au
Received on Wednesday, 3 December 2008 16:38:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT