- From: David Singer <singer@apple.com>
- Date: Thu, 9 Sep 2010 16:44:26 -0700
On Sep 9, 2010, at 16:38 , Andy Berkheimer wrote: > Much of this discussion has focused on the careless server operator. What about the careful ones? > > Given the past history of content sniffing and security warts, it is useful - or at least comforting - to have a path for the careful server to indicate "I know this file really is intended to be handled as this type, please don't sniff it". This is particularly true for a server handling sanitized files from unknown sources, as no sanitizer will be perfect. > > Today we approximate this through accurate use of Content-Type and a recent addition of X-Content-Type-Options: nosniff. > > Never sniffing sounds idyllic and always sniffing makes life a bit riskier for careful server operators. The proposals of limiting video/audio sniffing to a few troublesome Content-Types are quite reasonable. I think I agree. The minimum I can think of is sniff when (a) suspect types are supplied and (b) they are 'auto-generated' (e.g. by a web server). If either are not true, you shouldn't need to sniff. Someone who writes <source ... type="video/frubotziger" ... /> causes both tests to fail and deserves to be believed (and get the consequences). (Have you SEEN frubotziger format video :-)) > > -Andy > > On Thu, Sep 9, 2010 at 3:07 AM, Philip J?genstedt <philipj at opera.com> wrote: > I think we should always sniff or never sniff, for simplicity. > > Philip David Singer Multimedia and Software Standards, Apple Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100909/a7e14ba6/attachment.htm>
Received on Thursday, 9 September 2010 16:44:26 UTC