W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2009

[whatwg] <object> behavior

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 16 Oct 2009 21:55:33 -0400
Message-ID: <4AD92415.70609@mit.edu>
On 10/16/09 8:21 PM, Ben Laurie wrote:
> The point is that if I think I'm sourcing something safe but it can be
> overridden by the MIME type, then I have a problem.

Perhaps we need an attribute on <object> that says to only render the 
data if the server provided type and @type match?  That way you can 
address your use case by setting that attribute and we don't enable 
attacks on random servers by allowing @type to override the 
server-provided type?

-Boris
Received on Friday, 16 October 2009 18:55:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:18 UTC