W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2007

[whatwg] Style sheet loading and parsing (over HTTP)

From: Gervase Markham <gerv@mozilla.org>
Date: Thu, 24 May 2007 09:52:19 +0100
Message-ID: <46555243.5090803@mozilla.org>
Jon Barnett wrote:
> It's detrimental to the user when the user is denied content or a 
> stylesheet for the content because a server is misconfigured.  There are 
> cases, such as CSS documents and images referenced by CSS documents, 
> where ignoring Content-type is never harmful.  in other cases, the harm 
> can be mitigated by the rules in the spec.

It's also detrimental to the user when they are put at security risk 
because MIME types are not respected.

Recent example: spammers, phishers and other sundry evildoers have 
started attaching HTML attachments to Bugzilla installations, and using 
them as redirectors to their sites, to avoid domain name blacklists in 
spam filtering software.

Obvious solution: if an attachment is uploaded by a user with no 
permissions and its MIME type is one which contains script executed by 
the browser (all HTML types, SVG, ...) then change it to "text/plain". 
This is the least intrusive option - the attachment can still be viewed, 
and someone with permissions can change the MIME type later after 
checking the content.

However, this doesn't protect anyone using IE, because IE claims to know 
better and ignores Content-Type.

Gerv
Received on Thursday, 24 May 2007 01:52:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:55 UTC