W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [widgets] Content-type sniffing and file extension to MIME mapping

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 9 Dec 2008 14:06:55 -0800
Message-ID: <7789133a0812091406x473f42ccsab1575f36ef9286b@mail.gmail.com>
To: "Marcos Caceres" <marcosscaceres@gmail.com>
Cc: "Jonas Sicking" <jonas@sicking.cc>, "Simon Pieters" <simonp@opera.com>, "Laurens Holst" <lholst@students.cs.uu.nl>, public-webapps <public-webapps@w3.org> 

On Tue, Dec 9, 2008 at 12:42 PM, Marcos Caceres
<marcosscaceres@gmail.com> wrote:
> If authors want to use "application/xml",
> then they can use <content src="somefile" type="application/xml" />
> and hope for the best :)

I haven't been following the widget discussion very closely, so I
apologize if this issue is understood already, but, in general, being
able to coerce an arbitrary URL to application/xml is a big security
problem.  Can you point me to where the <content> tag is defined?

Thanks,
Adam
Received on Tuesday, 9 December 2008 22:14:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:01 GMT