- From: Bil Corry <bil@corry.biz>
- Date: Sat, 29 Nov 2008 23:44:17 -0600
- To: public-webapps <public-webapps@w3.org>
Marcos Caceres wrote on 11/29/2008 9:39 AM: > I had a discussion with Henri Sivonen and a few other people in the > HTML-WG about using HTML5's content-type sniffing as a way of deriving > the MIME type of files inside a widget package. Henri suggested that > we should primarily rely on file extensions as a way of mapping files > to MIME types. Although relying on extensions can be potentially > unreliable, it seems like a simple solution to a complicated problem. Content-sniffing can pose it's own problems, here's one example: http://www.gnucitizen.org/blog/backdooring-images/ > For the spec, I guess it would mean including a table of file > extension to MIME type mappings into the spec for common IANA > registered types (MIME type registrations list file extensions). The Apache (httpd) project includes a file called "mime.types" that maps file extensions to MIME types. I haven't seen anything more extensive than Apache's. > As a > second line of defense, if there is no file extension, or the file > extension does not map to the file extension to MIME table, then HTML > content-type sniffing heuristics can be used. This paper describes how the major browsers do it: http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf Firefox specifically appears to do it the way you're proposing here. - Bil
Received on Sunday, 30 November 2008 05:45:11 UTC