- From: Gordon P. Hemsley <gphemsley@gmail.com>
- Date: Thu, 29 Nov 2012 14:40:01 -0500
- To: Adam Barth <w3c@adambarth.com>
- Cc: whatwg List <whatwg@whatwg.org>
On Thu, Nov 29, 2012 at 2:30 PM, Adam Barth <w3c@adambarth.com> wrote: > On Wed, Nov 28, 2012 at 10:30 PM, Gordon P. Hemsley <gphemsley@gmail.com> wrote: >> Based on my reading of the source code, it seems that Gecko treats a >> resource served as 'application/octet-stream' as an unknown type which >> is sniffed as if no Content-Type was specified. >> >> Are there security implications with doing this? > > Yes, there are very large security consequences. I'm sorry that I > don't have time to respond to all of these threads in detail, but I'm > worried that you don't understand the consequences of the changes > you're proposing to this specification. > > I'm not sure how to help you succeed here, but tweaking things in the > spec without a compelling reason for doing so is not likely to lead to > a useful specification. I spent a great deal of time and effort > studying the behaviors of many user agents and of a massive amount of > content on the web. I'm certainly willing to believe that the spec > can be improved, but if you don't understand these sorts of basic > things about content sniffing, I worry that changes that you make to > the spec won't be improvements. > > Adam I and others have already made clear that I was misreading the Mozilla source code. I'm aware of the security implications of interpreting a resource as something other than what the Content-Type header says. The whole reason I sent the original e-mail was because I thought Mozilla was sniffing "application/octet-stream" in a way that it shouldn't, and I wanted to clarify whether there was something I was missing. I think you need to tone down your worry about my changes to the spec. If I didn't have concern for the security implications for a change, I wouldn't be sending an e-mail to the list about them, would I? -- Gordon P. Hemsley me@gphemsley.org http://gphemsley.org/ • http://gphemsley.org/blog/
Received on Thursday, 29 November 2012 20:34:56 UTC