- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 27 Aug 2013 12:26:53 -0400
- To: whatwg <whatwg@lists.whatwg.org>
The current mimesniff spec says that when the Apache workaround is applied sniffing should still be able to detect the content as PostScript, images, videos, archives, audio formats, etc. I feel that this poses an unacceptable security risk due to allowing content through firewalls that is then interpreted differently by a UA. In particular, postscript and media formats can be used to attack viewers and decoders. Web compat does not require this behavior: Gecko only allows "text/plain" and "application/octet-stream" as output types when the Apache workaround is being applied, and we have been successfully shipping this for a while. I would strongly oppose changing the Gecko behavior here due to the security implications. Given the security risks and the lack of web compat issues, I believe the spec should not require the behavior it currently requires. -Boris
Received on Tuesday, 27 August 2013 16:27:27 UTC