- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 03 Jun 2010 22:44:00 +0200
- To: Zack Weinberg <zweinberg@mozilla.com>
- Cc: W3C Emailing list for WWW Style <www-style@w3.org>
* Zack Weinberg wrote: >Mozilla happens to treat the absence of a content-type, an unparseable >content-type, and a handful of 'sentinel' values that are not >*supposed* to appear on the wire (but nothing prevents this) as >equivalent to text/css. However, CVE-2010-0654 (see >https://bugzilla.mozilla.org/show_bug.cgi?id=524223 for extensive >discussion) makes me think this is not a good idea. Do we know what browser vendors did exactly the last couple of times this issue came up? I recall for instance CAN-2002-0191 in 2002, and <http://www.hacker.co.il/security/ie/css_import.html> in 2005. It is mentioned in MS02-023 for example, but details are scarce. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Thursday, 3 June 2010 20:44:41 UTC