- From: Jon Sneyers <notifications@github.com>
- Date: Thu, 13 May 2021 09:18:23 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 13 May 2021 16:18:35 UTC
> There are security-related problems with extending sniffing, even for images, due to Spectre. In a Spectre world, it's important that the origin server give an explicit signal (i.e. content-type header) that the resource is an image and thus is OK being read cross-origin. Relying on sniffing to make this crucial security decision runs the risk of inadvertently exposing non-image resources to attackers. > > Please follow the guidelines for new formats. The origin markup can specify a content-type in a picture srcset type, but in the case of a simple img tag, the markup does not specify a content type, so it is up to the cross-origin server to provide a response with a correct media type. I am confused about what exactly is the concern here. Could you give an example of how a potential attack could look like that is possible when the jxl magic gets added to the mimesniff spec and not possible when it does not get added there? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/633#issuecomment-840669896
Received on Thursday, 13 May 2021 16:18:35 UTC