Re: type parameter of Document.open() (detailed review of the DOM) from Maciej Stachowiak on 2008-08-15 (public-html@w3.org from August 2008)

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 14 Aug 2008 19:59:07 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: Boris Zbarsky <bzbarsky@MIT.EDU>, public-html <public-html@w3.org>
Message-Id: <267558D6-0473-4DC9-8692-ED7DE5D31B8F@apple.com>

On Aug 14, 2008, at 1:33 PM, Ian Hickson wrote:

>
> On Wed, 13 Aug 2008, Boris Zbarsky wrote:
>>>
>>> I don't understand the security risk. Could you elaborate on what  
>>> the
>>> threat is?
>>
>> The obvious threat is that someone writes (or wrote awhile back)
>> something, tests (or tested) in their browser, it doesn't render as  
>> HTML
>> (or didn't back when they tested), then we render it as HTML.
>>
>> Obvious examples that come up are image types in IE, or a whole  
>> slew of
>> stuff in Netscape 4 (think old site that no one has bothered to  
>> update,
>> and yes such things still exist: we get people complaining that they
>> can't document.open('application/postscript') in current Gecko).
>
> Fair enough.
>
> The risk of implementing this as Firefox does, of course, is lack of
> compatibility with pages that are expecting HTML handling. To gain  
> some
> level of compatibility we have to, at a minimum, strip leading and
> trailing space characters, and ignore any content after the first
> semicolon.
>
> Now the question is, are other browser vendors willing to change to  
> this?
>
> I've changed the spec for now, but I would really appreciate  
> confirmation
> from WebKit, Opera, and IE representatives that this change is one  
> that
> the majority of browser vendors are willing to implement.

WebKit doesn't match either Firefox or IE currently (we always use  
text/html as you said). I would prefer to go with the IE behavior or  
something close to it. I think the security risk of defaulting unknown  
types to text/html is very small. There may be sites that have not  
been updated since the Netscape 4 days, but it's unlikely any have  
enough regular users to be targeted by security attacks. On the other  
hand, it seems the compatibility risk is real, since Firefox must do  
trickier parsing to catch some types that must indeed be treated as  
text/html.

Admittedly, this opinion is not informed by extensive testing.

Regards,
Maciej

Received on Friday, 15 August 2008 02:59:48 UTC