- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 29 Nov 2012 01:48:46 -0500
- To: whatwg@lists.whatwg.org
On 11/29/12 1:30 AM, Gordon P. Hemsley wrote: > Based on my reading of the source code, it seems that Gecko treats a > resource served as 'application/octet-stream' as an unknown type which > is sniffed as if no Content-Type was specified. Only for media (<video> and <audio>) loads. Note that the HTML spec requires this behavior for those. > Are there security implications with doing this? In general, yes. Doing this for document loads would be a security nightmare, for example. -Boris
Received on Thursday, 29 November 2012 07:16:13 UTC