- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 08 Sep 2010 16:04:24 -0400
On 9/8/10 3:58 PM, Aryeh Gregor wrote: > And the problem is that you don't want to keep the data handy in case > it fails? Yes. The problem is that I don't want to have to buffer up potentially-arbitrary amounts of data. >> Yes. Undocumented sniffing behaviour has caused many vulnerabilities, as >> even well-known sniffing behaviour continues to do (see the current >> publicised difficulties with CSS-inclusion attacks). Lack of sniffing >> behaviour, however, has never caused a vulnerability. It fails safe. > > The CSS-inclusion attacks that I'm aware of involve @import-ing an > HTML document and observing what syntax errors occur. There is no > sniffing that occurs there. There sort of is. There's the fact that for quirks documents the Content-Type for style sheet resources was ignored. (Note that the syntax errors are not what the issue was about, btw.) -Boris
Received on Wednesday, 8 September 2010 13:04:24 UTC