Re: [w3c/manifest] Why does obtaining not check a MIME type? (#821) from Matt Giuca on 2020-04-22 (public-webapps-github@w3.org from April 2020)

From: Matt Giuca <notifications@github.com>
Date: Tue, 21 Apr 2020 23:38:13 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/821/617581581@github.com>

@mikewest AFAIK we aren't "mime sniffing" here, we're just assuming that when an HTML file links to a manifest, it is a JSON file, without looking at the MIME type. (We aren't trying to "guess" the MIME type from its content or anything, we just ignore the MIME type.)

How would checking the MIME type help with security? We still have to parse a binary file that may or may not be valid JSON / a valid manifest.

I don't think we have metrics on the MIME type of the manifest files. @dmurph do you think it's worth adding this in Chrome?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/821#issuecomment-617581581

Received on Wednesday, 22 April 2020 06:38:25 UTC