Re: review of content type rules by IETF/HTTP community

On Aug 21, 2007, at 5:34 PM, Roy T. Fielding wrote:

> On Aug 21, 2007, at 4:02 PM, Maciej Stachowiak wrote:
>> The sniffing behavior in HTML5 is not orthogonal to the rest of the  
>> spec. It depends on the loading context. <iframe src="gif-sent-with- 
>> text-plain-type.txt"> will have different results than <img  
>> src="gif-sent-with-text-plain-type.txt">. This is necessary both  
>> for compatibility and to minimize the scope of the content sniffing.
>
> No, it just guarantees that intermediaries (which have no idea of the
> context) will always have a different sniffing algorithm than the
> browsers.  Brilliant.  Are there any other security holes in MSIE you
> want to make standard?

Can you clarify how it is a security hole to treat something as either  
a GIF image or unknown binary data in different contexts, when the  
server incorrectly reports it to be text/plain? The vulnerability is  
not obvious to me.

Regards,
Maciej

Received on Wednesday, 22 August 2007 02:10:52 UTC