- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 24 May 2007 11:03:25 +0200
Gervase Markham wrote: > Jon Barnett wrote: >> It's detrimental to the user when the user is denied content or a >> stylesheet for the content because a server is misconfigured. There >> are cases, such as CSS documents and images referenced by CSS >> documents, where ignoring Content-type is never harmful. in other >> cases, the harm can be mitigated by the rules in the spec. > > It's also detrimental to the user when they are put at security risk > because MIME types are not respected. > > Recent example: spammers, phishers and other sundry evildoers have > started attaching HTML attachments to Bugzilla installations, and using > them as redirectors to their sites, to avoid domain name blacklists in > spam filtering software. > > Obvious solution: if an attachment is uploaded by a user with no > permissions and its MIME type is one which contains script executed by > the browser (all HTML types, SVG, ...) then change it to "text/plain". > This is the least intrusive option - the attachment can still be viewed, > and someone with permissions can change the MIME type later after > checking the content. > > However, this doesn't protect anyone using IE, because IE claims to know > better and ignores Content-Type. So, if I understand correctly, Firefox already respects the content type here. Seems to me that this is sufficient evidence that HTML5 must not require user agents to ignore the content type in this case, right? Best regards, Julian
Received on Thursday, 24 May 2007 02:03:25 UTC