- From: Noam Rosenthal <notifications@github.com>
- Date: Thu, 05 Jun 2025 03:24:07 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 5 June 2025 10:24:11 UTC
noamr left a comment (w3ctag/design-reviews#1064) > The use of `@unknown` for that seems highly specific and ineffective at preventing that attack. If you allow any information out, that exfiltration can happen. Especially with content type being available. > You have multiple bits available (image type, different content codings), why do you think that blocking one very specific part of the information is going to be effective? `Content-Type` is also limited to a set of defined mime-types, for the same reason. There's a vast difference in entropy between a spec-defined enum and an open string. Though I am aligned with this generally being a good restriction, I'd defer this to folks at Apple (@annevk and co) that were the advocates for this restriction to perhaps explain it better than myself. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1064#issuecomment-2943622083 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1064/2943622083@github.com>
Received on Thursday, 5 June 2025 10:24:11 UTC