- From: Ben Laurie <benl@google.com>
- Date: Sat, 17 Oct 2009 03:44:40 -0400
On Fri, Oct 16, 2009 at 9:55 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 10/16/09 8:21 PM, Ben Laurie wrote: >> >> The point is that if I think I'm sourcing something safe but it can be >> overridden by the MIME type, then I have a problem. > > Perhaps we need an attribute on <object> that says to only render the data > if the server provided type and @type match? ?That way you can address your > use case by setting that attribute and we don't enable attacks on random > servers by allowing @type to override the server-provided type? That would work.
Received on Saturday, 17 October 2009 00:44:40 UTC