W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

[whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Thu, 29 Nov 2012 01:30:38 -0500
Message-ID: <CAH4e3M5h9=7+MzCUFMBw6Mh5FW6zBc2e+FkjkhAvoofzAnm0Hg@mail.gmail.com>
To: whatwg List <whatwg@whatwg.org>
Based on my reading of the source code, it seems that Gecko treats a
resource served as 'application/octet-stream' as an unknown type which
is sniffed as if no Content-Type was specified.

Are there security implications with doing this? Or should I add
'application/octet-stream' to the list of unknown types that currently
includes 'unknown/unknown', 'application/unknown', and '*/*' (step 2
of the "media type sniffing algorithm")? Or, given that that step
calls the "rules for identifying an unknown media type" with the
sniff-scriptable flag set, should it get its own call, with the
sniff-scriptable flag unset? Are there other options here?

I haven't checked what UAs actually do in practice, but I don't
believe the spec currently allows anything but leaving resources
tagged as 'application/octet-stream' as they are.

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/http://gphemsley.org/blog/
Received on Thursday, 29 November 2012 06:36:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT