Re: [whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

On Thu, Nov 29, 2012 at 2:30 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, Nov 28, 2012 at 10:30 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote:
>> Based on my reading of the source code, it seems that Gecko treats a
>> resource served as 'application/octet-stream' as an unknown type which
>> is sniffed as if no Content-Type was specified.
>>
>> Are there security implications with doing this?
>
> Yes, there are very large security consequences.  I'm sorry that I
> don't have time to respond to all of these threads in detail, but I'm
> worried that you don't understand the consequences of the changes
> you're proposing to this specification.
>
> I'm not sure how to help you succeed here, but tweaking things in the
> spec without a compelling reason for doing so is not likely to lead to
> a useful specification.  I spent a great deal of time and effort
> studying the behaviors of many user agents and of a massive amount of
> content on the web.  I'm certainly willing to believe that the spec
> can be improved, but if you don't understand these sorts of basic
> things about content sniffing, I worry that changes that you make to
> the spec won't be improvements.
>
> Adam

I and others have already made clear that I was misreading the Mozilla
source code.

I'm aware of the security implications of interpreting a resource as
something other than what the Content-Type header says. The whole
reason I sent the original e-mail was because I thought Mozilla was
sniffing "application/octet-stream" in a way that it shouldn't, and I
wanted to clarify whether there was something I was missing.

I think you need to tone down your worry about my changes to the spec.
If I didn't have concern for the security implications for a change, I
wouldn't be sending an e-mail to the list about them, would I?

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/http://gphemsley.org/blog/

Received on Thursday, 29 November 2012 20:34:56 UTC