Re: type parameter of Document.open() (detailed review of the DOM) from Ian Hickson on 2008-08-13 (public-html@w3.org from August 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 13 Aug 2008 09:41:28 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: Simon Pieters <simonp@opera.com>, public-html <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0808130935570.5136@hixie.dreamhostps.com>

On Tue, 12 Aug 2008, Boris Zbarsky wrote:
> Ian Hickson wrote:
> > * Firefox treats text/html as HTML, and everything else as text/plain. 
> > It ignores leading and trailing spaces, and ignores everything after 
> > the first non-leading space or the first semicolon. It is 
> > case-insensitive.
> 
> If anyone is interested as to the reasons:
> 
> 1) We added the text/plain support when someone complained about script 
> injection issues in content they were document.writing as text/plain and 
> which we at the time treated as HTML.  Given that, we decided that 
> unknown types should be either treated as text/plain or throw, with 
> text/plain being marginally more useful.

That seems like a somewhat overenthusiastic fix -- why not just do what IE 
does? That would presumably still allow for safe handling of text/plain 
content. Since no other browser treats anything as text/plain other than 
text/plain, nobody would presumably send content with other random MIME 
types and expect a non-scripted handling.

> 2) The type parsing (the whitespace/semicolon thing) is covered by 
> <https://bugzilla.mozilla.org/show_bug.cgi?id=295652>.  Basically, some 
> pages pass "text/html; charset=ISO-8859-1" and expect it to be treated 
> as HTML.

This only seems to be required if you do the above behaviour of treating 
things as text/plain instead of text/html by default -- since the other 
browsers treat things as text/html by default, they don't need to do 
anything to not treat things as text/plain.

> > I've gone with the simplest subset behaviour -- case-insensitive 
> > literal string match against "text/plain", with everything else being 
> > treated as HTML.
> 
> That doesn't match Simon's quote from the spec

Right; when I said "I've gone" I meant that I had (just) changed the spec 
to match this.

> and I wouldn't be willing to implement this for the security reasons 
> mentioned above.

I don't understand the security risk. Could you elaborate on what the 
threat is?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 13 August 2008 09:42:05 UTC