W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > May 2011

[Bug 12390] A sandboxed MIME type attribute would be better than a fully qualified MIME type

From: <bugzilla@jessica.w3.org>
Date: Mon, 09 May 2011 18:45:59 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QJVSx-00083l-Mi@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390

Adam Barth <w3c@adambarth.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |w3c@adambarth.com

--- Comment #1 from Adam Barth <w3c@adambarth.com> 2011-05-09 18:45:58 UTC ---
The reason to use the MIME type is to get fail-closed behavior in legacy user
agents.  My understanding is that having a MIME parameter defeats that goal. 
If we want fail-open, then we can use something like Content-Security-Policy to
deliver a sandbox directive.

Note: Using the MIME type does not fail-closed in 100% of situations.  There
are a couple ways you can trick IE6 into failing open, even with a sandboxed
MIME type, due to the lax content sniffing behavior in IE6.  As IE6 become less
relevant, however, this issue probably matters less.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Monday, 9 May 2011 18:46:01 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:10 UTC