- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 25 May 2007 09:48:23 +0000 (UTC)
On Fri, 25 May 2007, Gervase Markham wrote: > > Although I also mention my story as a general counterpoint to the "Well, > obviously the browser should Do The Right Thing if the Content-Type is > wrong" viewpoint. Content sniffing can have security consequences. Yes, content-sniffing capable of privilege escalation is dangerous. I don't think the HTML5 sniffing algorithm can ever do that, but let me know if you find a way in which it can. (<img> element sniffing is under-defined right now, I need to define "a valid image" to not include SVG unless it has a privileged MIME type. But that's the only hole I know of.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 25 May 2007 02:48:23 UTC