W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

Re: [whatwg] Zip archives as first-class citizens

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 28 Aug 2013 08:50:16 -0700
Message-ID: <CALx_OUDO2WxsKs-bi_1uYAEEufHxJqv8o0WskJPQopiJ4+ODdg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>
Two implementation risks to keep in mind:

1) Both jar: and mhtml: (which work or worked in a very similar way)
have caused problems in absence of strict Content-Type matching. In
essence, it is relatively easy for something like a valid
user-supplied text document or an image to be also a valid archive.
Such archives may end up containing "files" that the owner of the
website never intended to host in their origin.

2) Both schemes also have a long history of breaking origin / host
name parsing in various places in the browser and introducing security
bugs.

/mz
Received on Wednesday, 28 August 2013 15:51:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC