- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 31 Mar 2009 15:02:27 -0700
- To: Adrien de Croy <adrien@qbik.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
On Tue, Mar 31, 2009 at 2:54 PM, Adrien de Croy <adrien@qbik.com> wrote: > So then surely the last word on what type of content something is, should be > the actual content itself? Such an algorithm would maximize compatibility but cost security. Suppose we had an oracle that told us the "true" MIME type for a given HTTP response. The Content-Type header would still be an important security feature. For example, consider a server that replies with the following: Content-Type: image/gif <html><body>I am an HTML document</body></html> If a user agent treats this response as text/html (supposing the oracle agrees with our intuition that this response is, in fact, HTML), then the user agent has likely opened the server up to a cross-site scripting attack. Instead, the user agent should treat this response as an image. > So if any sniffing is to be done, surely it should only be the client? In > which case why don't clients just ignore the Content-Type header always and > always try and determine the type themselves. Some seem to do this already. None of the major browsers do this anymore because of these security issues. Adam
Received on Tuesday, 31 March 2009 22:03:22 UTC