[whatwg] Style sheet loading and parsing (over HTTP)

Jon Barnett wrote:
> I would propose that the "type" attribute be more meaningful on, for 
> example, the <a> element and the <object> element:
> - If the "type" attribute is present, the UA must use its value as the 
> value of the Accept request header when requesting a resource

This does not help in the scenario I mention because the link which is 
used is in the spammer's email - and they are unlikely to be so obliging 
as to set the "type" attribute correctly to warn Bugzilla.

The plain fact is that the only way for the sensible mitigation strategy 
to work is for the browser to respect what the server tells it. Perhaps 
we should invent a new header, 
Really-Honestly-The-Content-Type-I-Promise, which browsers were forced 
to respect? <sigh>

> That would allow, for example, Bugzilla to use <a type="text/plain"> 
> when linking to an attachment without fear that the attachment might be 
> sniffed as text/html.

See above.

Gerv

Received on Friday, 25 May 2007 02:41:52 UTC