- From: Ben Laurie <benl@google.com>
- Date: Fri, 16 Oct 2009 20:21:27 -0400
On Fri, Oct 16, 2009 at 6:04 PM, Mike Shaver <mike.shaver at gmail.com> wrote: > On Fri, Oct 16, 2009 at 5:56 PM, Ben Laurie <benl at google.com> wrote: >> On Fri, Oct 16, 2009 at 5:48 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote: >>> This is, imo, a much bigger problem than that of people embedding content >>> from an untrusted site and getting content X instead of content Y, >>> especially because content X can't actually access the page that contains >>> it, right? >> >> Flash can, for example. > > If Flash can do bad things, then sourcing Flash from an untrusted site > and getting malicious Flash with the expected MIME type doesn't seem > like it's any better than getting malicious Quicktime or Java or > whatever via a switched MIME type. ?Is there something I'm missing? The point is that if I think I'm sourcing something safe but it can be overridden by the MIME type, then I have a problem. > > Mike >
Received on Friday, 16 October 2009 17:21:27 UTC