- From: Elliotte Harold <elharo@metalab.unc.edu>
- Date: Mon, 04 Dec 2006 10:03:43 -0500
Mike Schinkel wrote: > Hmm. I believe the http standard states that clients are not suppose to > override a content-type given by a server. For example, a web page showing a > script virus shouldn't be identified by the client as a script and executed; > the client should instead just display it as a web page like the server told > it to. Or am I missing your context? Turn that example around. Suppose the web server says the document is a script that should be executed. Should the client execute it? Of course not. Security demands that the client not execute the script in both cases: when the server says it is a script and when the server says it isn't. Security requires that the client be in control of decisions about what the client does. There are also many good nonsecurity reasons for putting the client in control. -- ?Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
Received on Monday, 4 December 2006 07:03:43 UTC