- From: Gregory Maxwell <gmaxwell@gmail.com>
- Date: Wed, 1 Sep 2010 00:27:36 -0400
On 8/31/10, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote: > If you can't come up with any actual problems with what IE is doing, > then why is anything else even being considered? There's a very > clear-cut problem with relying on MIME types: MIME types are often > wrong and hard for authors to configure, and this is not going to > change anytime soon. Aggressive sniffing can and has resulted in some pretty nasty security bugs. E.g. an attacker crafts an input that a website identifies as video and permits the upload but which a browser sniffs out to be a java jar which can then access the source URL with the permissions of the user. The sniffing rules, in some contexts and some browsers can also end up causing surprising failures... e.g. I've seen older versions of some sniffing heavy browsers automatically switch into UCS-2LE encoding at wrong and surprising times. Perhaps this is irrelevant in a video specific discussion of sniffing? but it is a hazard with sniffing in general. Moreover, it'll never be consistent from implementation to implementation, which seems to me to be pretty antithetical to standardization in general.
Received on Tuesday, 31 August 2010 21:27:36 UTC