- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Wed, 3 Dec 2008 16:37:27 +0000
- To: "Bil Corry" <bil@corry.biz>
- Cc: public-webapps <public-webapps@w3.org>
Hi Bil, Sorry, your I accidentally skipped over your email. On Sun, Nov 30, 2008 at 5:44 AM, Bil Corry <bil@corry.biz> wrote: > > Marcos Caceres wrote on 11/29/2008 9:39 AM: >> I had a discussion with Henri Sivonen and a few other people in the >> HTML-WG about using HTML5's content-type sniffing as a way of deriving >> the MIME type of files inside a widget package. Henri suggested that >> we should primarily rely on file extensions as a way of mapping files >> to MIME types. Although relying on extensions can be potentially >> unreliable, it seems like a simple solution to a complicated problem. > > Content-sniffing can pose it's own problems, here's one example: > > http://www.gnucitizen.org/blog/backdooring-images/ > I see. > >> For the spec, I guess it would mean including a table of file >> extension to MIME type mappings into the spec for common IANA >> registered types (MIME type registrations list file extensions). > > The Apache (httpd) project includes a file called "mime.types" that maps file extensions to MIME types. I haven't seen anything more extensive than Apache's. > > >> As a >> second line of defense, if there is no file extension, or the file >> extension does not map to the file extension to MIME table, then HTML >> content-type sniffing heuristics can be used. > > This paper describes how the major browsers do it: > > http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf > > Firefox specifically appears to do it the way you're proposing here. Thanks for this resource, it was quite useful! -- Marcos Caceres http://datadriven.com.au
Received on Wednesday, 3 December 2008 16:38:06 UTC