W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [widgets] Content-type sniffing and file extension to MIME mapping

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Wed, 10 Dec 2008 10:55:48 +0000
Message-ID: <b21a10670812100255y46d078dfn8693d2404076a9a0@mail.gmail.com>
To: "Adam Barth" <w3c@adambarth.com>
Cc: "Jonas Sicking" <jonas@sicking.cc>, "Simon Pieters" <simonp@opera.com>, "Laurens Holst" <lholst@students.cs.uu.nl>, public-webapps <public-webapps@w3.org>

On Tue, Dec 9, 2008 at 10:06 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Tue, Dec 9, 2008 at 12:42 PM, Marcos Caceres
> <marcosscaceres@gmail.com> wrote:
>> If authors want to use "application/xml",
>> then they can use <content src="somefile" type="application/xml" />
>> and hope for the best :)
>
> I haven't been following the widget discussion very closely, so I
> apologize if this issue is understood already, but, in general, being
> able to coerce an arbitrary URL to application/xml is a big security
> problem.  Can you point me to where the <content> tag is defined?

The content element is defined here:
http://dev.w3.org/2006/waf/widgets/#the-content

Would certainly appreciate more details about the security threat.

Kind regards,
Marcos
-- 
Marcos Caceres
http://datadriven.com.au
Received on Wednesday, 10 December 2008 10:56:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT