W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Thu, 29 Nov 2012 14:40:01 -0500
Message-ID: <CAH4e3M4c=G9LvFZYLONka_9MkH-JyvC4VaVpP9ijNhQJWvqTRw@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg List <whatwg@whatwg.org>
On Thu, Nov 29, 2012 at 2:30 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, Nov 28, 2012 at 10:30 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
>> Based on my reading of the source code, it seems that Gecko treats a
>> resource served as 'application/octet-stream' as an unknown type which
>> is sniffed as if no Content-Type was specified.
>>
>> Are there security implications with doing this?
>
> Yes, there are very large security consequences.  I'm sorry that I
> don't have time to respond to all of these threads in detail, but I'm
> worried that you don't understand the consequences of the changes
> you're proposing to this specification.
>
> I'm not sure how to help you succeed here, but tweaking things in the
> spec without a compelling reason for doing so is not likely to lead to
> a useful specification.  I spent a great deal of time and effort
> studying the behaviors of many user agents and of a massive amount of
> content on the web.  I'm certainly willing to believe that the spec
> can be improved, but if you don't understand these sorts of basic
> things about content sniffing, I worry that changes that you make to
> the spec won't be improvements.
>
> Adam

I and others have already made clear that I was misreading the Mozilla
source code.

I'm aware of the security implications of interpreting a resource as
something other than what the Content-Type header says. The whole
reason I sent the original e-mail was because I thought Mozilla was
sniffing "application/octet-stream" in a way that it shouldn't, and I
wanted to clarify whether there was something I was missing.

I think you need to tone down your worry about my changes to the spec.
If I didn't have concern for the security implications for a change, I
wouldn't be sending an e-mail to the list about them, would I?

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/http://gphemsley.org/blog/
Received on Thursday, 29 November 2012 20:34:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT