- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 12 May 2014 16:41:46 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: whatwg <whatwg@lists.whatwg.org>, "Eduardo' Vela <Nava>" <evn@google.com>
On Mon, May 12, 2014 at 4:17 PM, Ian Hickson <ian@hixie.ch> wrote: > On Mon, 12 May 2014, Eduardo' Vela\" <Nava> wrote: >> Now, with appcache manifest files, we are introducing a >> security-sensitive change based on a file with special powers (more on >> this later), and while before they were guarded by a Content-Type check, >> this isn't the case anymore. > > Note that there _is_ still a content type check with appcache, it's just > done on the first few bytes of the file instead of on the metadata. (This > is IMHO how all file typing should work.) There's a big difference between the first few bytes of a file and the Content-Type HTTP header. In many scenarios, the former is under the control of an attacker when the latter is not. Adam
Received on Monday, 12 May 2014 23:42:42 UTC