W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [widgets] Content-type sniffing and file extension to MIME mapping

From: timeless <timeless@gmail.com>
Date: Wed, 10 Dec 2008 12:19:46 +0200
Message-ID: <26b395e60812100219g337f205ds640d2092d80737bf@mail.gmail.com>
To: "Adam Barth" <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>

On Tue, Dec 9, 2008 at 12:42 PM, Marcos Caceres
<marcosscaceres@gmail.com> wrote:
> If authors want to use "application/xml",
> then they can use <content src="somefile" type="application/xml" />
> and hope for the best :)

On Wed, Dec 10, 2008 at 12:06 AM, Adam Barth <w3c@adambarth.com> wrote:
> I haven't been following the widget discussion very closely, so I
> apologize if this issue is understood already, but, in general, being
> able to coerce an arbitrary URL to application/xml is a big security
> problem.  Can you point me to where the <content> tag is defined?

this seems pointless. you're packaging your own widget. which means
you control somefile and the manifest.

you shouldn't be able to have somefile point *outside* widget, which
means you were responsible for packaging somefile.

if you're worried about a scanner, that's a problem the scanners will
have to manage anyway, as this is a new thing which is going to have a
slightly different profile than a web page.

the wua isn't being "tricked" anywhere, it's doing as instructed and
would know it was doing so.

i can certainly serve a file named "something" as type
"application/xml" over http, the difference here is that you're an
archive (zip) which doesn't encode mime types and has no "server".
Received on Wednesday, 10 December 2008 10:20:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:13 UTC