- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 29 Nov 2012 11:30:47 -0800
- To: "Gordon P. Hemsley" <gphemsley@gmail.com>
- Cc: whatwg List <whatwg@whatwg.org>
On Wed, Nov 28, 2012 at 10:30 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote: > Based on my reading of the source code, it seems that Gecko treats a > resource served as 'application/octet-stream' as an unknown type which > is sniffed as if no Content-Type was specified. > > Are there security implications with doing this? Yes, there are very large security consequences. I'm sorry that I don't have time to respond to all of these threads in detail, but I'm worried that you don't understand the consequences of the changes you're proposing to this specification. I'm not sure how to help you succeed here, but tweaking things in the spec without a compelling reason for doing so is not likely to lead to a useful specification. I spent a great deal of time and effort studying the behaviors of many user agents and of a massive amount of content on the web. I'm certainly willing to believe that the spec can be improved, but if you don't understand these sorts of basic things about content sniffing, I worry that changes that you make to the spec won't be improvements. Adam
Received on Thursday, 29 November 2012 20:31:42 UTC