W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Thu, 29 Nov 2012 02:07:29 -0500
Message-ID: <CAH4e3M6RjZ0WCDT0VjfZj8p35of_m0B41=ekkD=4R5SnLkgpwA@mail.gmail.com>
To: whatwg List <whatwg@whatwg.org>
On Thu, Nov 29, 2012 at 1:30 AM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
> Based on my reading of the source code, it seems that Gecko treats a
> resource served as 'application/octet-stream' as an unknown type which
> is sniffed as if no Content-Type was specified.

Oh, wait, I forgot what I was reading—Gecko does this specifically in
the context of sniffing for an audio or video resource. So, if a
resource tagged as 'application/octet-stream' is included in <audio>
or <video>, for example, it will be treated as unknown for the
purposes of identifying its true nature. This never follows a path of
scriptable privilege escalation, AFAICT.

So perhaps a more useful question would be what to do in situations
like that—should mimesniff treat "application/octet-stream" as a type
"supported by the browser" for the purposes of sniffing images, audio
or video, fonts, or other media types?

I imagine this ties in, too, to the issues with sniffing CSS files
that has been raised elsewhere:

https://bugzilla.mozilla.org/show_bug.cgi?id=560388
https://bugzilla.mozilla.org/show_bug.cgi?id=562377
https://bugzilla.mozilla.org/show_bug.cgi?id=808593

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/http://gphemsley.org/blog/
Received on Thursday, 29 November 2012 07:27:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT