Re: type parameter of Document.open() (detailed review of the DOM)

On Wed, 13 Aug 2008, Boris Zbarsky wrote:
> > 
> > I don't understand the security risk. Could you elaborate on what the 
> > threat is?
> 
> The obvious threat is that someone writes (or wrote awhile back) 
> something, tests (or tested) in their browser, it doesn't render as HTML 
> (or didn't back when they tested), then we render it as HTML.
> 
> Obvious examples that come up are image types in IE, or a whole slew of 
> stuff in Netscape 4 (think old site that no one has bothered to update, 
> and yes such things still exist: we get people complaining that they 
> can't document.open('application/postscript') in current Gecko).

Fair enough.

The risk of implementing this as Firefox does, of course, is lack of 
compatibility with pages that are expecting HTML handling. To gain some 
level of compatibility we have to, at a minimum, strip leading and 
trailing space characters, and ignore any content after the first 
semicolon.

Now the question is, are other browser vendors willing to change to this?

I've changed the spec for now, but I would really appreciate confirmation 
from WebKit, Opera, and IE representatives that this change is one that 
the majority of browser vendors are willing to implement.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 14 August 2008 20:33:59 UTC