W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2009

[whatwg] <object> behavior

From: Ben Laurie <benl@google.com>
Date: Sat, 17 Oct 2009 03:44:40 -0400
Message-ID: <1b587cab0910170044t45dca3d4sa191099e9b2de356@mail.gmail.com>
On Fri, Oct 16, 2009 at 9:55 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/16/09 8:21 PM, Ben Laurie wrote:
>> The point is that if I think I'm sourcing something safe but it can be
>> overridden by the MIME type, then I have a problem.
> Perhaps we need an attribute on <object> that says to only render the data
> if the server provided type and @type match? ?That way you can address your
> use case by setting that attribute and we don't enable attacks on random
> servers by allowing @type to override the server-provided type?

That would work.
Received on Saturday, 17 October 2009 00:44:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:18 UTC