[whatwg] Style sheet loading and parsing (over HTTP)

On Thu, 24 May 2007, Gervase Markham wrote:
> Jon Barnett wrote:
> > It's detrimental to the user when the user is denied content or a stylesheet
> > for the content because a server is misconfigured.  There are cases, such as
> > CSS documents and images referenced by CSS documents, where ignoring
> > Content-type is never harmful.  in other cases, the harm can be mitigated by
> > the rules in the spec.
> 
> It's also detrimental to the user when they are put at security risk 
> because MIME types are not respected.
> 
> Recent example: spammers, phishers and other sundry evildoers have 
> started attaching HTML attachments to Bugzilla installations, and using 
> them as redirectors to their sites, to avoid domain name blacklists in 
> spam filtering software.
> 
> Obvious solution: if an attachment is uploaded by a user with no 
> permissions and its MIME type is one which contains script executed by 
> the browser (all HTML types, SVG, ...) then change it to "text/plain". 
> This is the least intrusive option - the attachment can still be viewed, 
> and someone with permissions can change the MIME type later after 
> checking the content.
> 
> However, this doesn't protect anyone using IE, because IE claims to know 
> better and ignores Content-Type.

Note that the HTML5 spec requires browsers not to convert text/plain to a 
more dangerous type (text/plain is either treated as text/plain or 
application/octet-stream according to the spec).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 24 May 2007 09:19:52 UTC