W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2007

[whatwg] Style sheet loading and parsing (over HTTP)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 25 May 2007 09:48:23 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0705250944380.16228@dhalsim.dreamhost.com>
On Fri, 25 May 2007, Gervase Markham wrote:
> Although I also mention my story as a general counterpoint to the "Well, 
> obviously the browser should Do The Right Thing if the Content-Type is 
> wrong" viewpoint. Content sniffing can have security consequences.

Yes, content-sniffing capable of privilege escalation is dangerous. I 
don't think the HTML5 sniffing algorithm can ever do that, but let me know 
if you find a way in which it can.

(<img> element sniffing is under-defined right now, I need to define "a 
valid image" to not include SVG unless it has a privileged MIME type. But 
that's the only hole I know of.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 25 May 2007 02:48:23 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:55 UTC