W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

[whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

From: Gordon P. Hemsley <gphemsley@gmail.com>
Date: Thu, 29 Nov 2012 01:30:38 -0500
Message-ID: <CAH4e3M5h9=7+MzCUFMBw6Mh5FW6zBc2e+FkjkhAvoofzAnm0Hg@mail.gmail.com>
To: whatwg List <whatwg@whatwg.org>
Based on my reading of the source code, it seems that Gecko treats a
resource served as 'application/octet-stream' as an unknown type which
is sniffed as if no Content-Type was specified.

Are there security implications with doing this? Or should I add
'application/octet-stream' to the list of unknown types that currently
includes 'unknown/unknown', 'application/unknown', and '*/*' (step 2
of the "media type sniffing algorithm")? Or, given that that step
calls the "rules for identifying an unknown media type" with the
sniff-scriptable flag set, should it get its own call, with the
sniff-scriptable flag unset? Are there other options here?

I haven't checked what UAs actually do in practice, but I don't
believe the spec currently allows anything but leaving resources
tagged as 'application/octet-stream' as they are.

Gordon P. Hemsley
Received on Thursday, 29 November 2012 06:36:22 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:48 UTC