- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 16 Oct 2009 21:55:33 -0400
On 10/16/09 8:21 PM, Ben Laurie wrote: > The point is that if I think I'm sourcing something safe but it can be > overridden by the MIME type, then I have a problem. Perhaps we need an attribute on <object> that says to only render the data if the server provided type and @type match? That way you can address your use case by setting that attribute and we don't enable attacks on random servers by allowing @type to override the server-provided type? -Boris
Received on Friday, 16 October 2009 18:55:33 UTC