W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 29 Nov 2012 11:30:47 -0800
Message-ID: <CAJE5ia8=gEboxDqTmY7n_7Ca+L8eFpjE3_48ZjjgypbroZTmBg@mail.gmail.com>
To: "Gordon P. Hemsley" <gphemsley@gmail.com>
Cc: whatwg List <whatwg@whatwg.org>
On Wed, Nov 28, 2012 at 10:30 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
> Based on my reading of the source code, it seems that Gecko treats a
> resource served as 'application/octet-stream' as an unknown type which
> is sniffed as if no Content-Type was specified.
>
> Are there security implications with doing this?

Yes, there are very large security consequences.  I'm sorry that I
don't have time to respond to all of these threads in detail, but I'm
worried that you don't understand the consequences of the changes
you're proposing to this specification.

I'm not sure how to help you succeed here, but tweaking things in the
spec without a compelling reason for doing so is not likely to lead to
a useful specification.  I spent a great deal of time and effort
studying the behaviors of many user agents and of a massive amount of
content on the web.  I'm certainly willing to believe that the spec
can be improved, but if you don't understand these sorts of basic
things about content sniffing, I worry that changes that you make to
the spec won't be improvements.

Adam
Received on Thursday, 29 November 2012 20:31:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT