W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

[whatwg] [mimesniff] The Apache workaround should not sniff random types

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 27 Aug 2013 12:26:53 -0400
Message-ID: <521CD34D.70801@mit.edu>
To: whatwg <whatwg@lists.whatwg.org>
The current mimesniff spec says that when the Apache workaround is 
applied sniffing should still be able to detect the content as 
PostScript, images, videos, archives, audio formats, etc.

I feel that this poses an unacceptable security risk due to allowing 
content through firewalls that is then interpreted differently by a UA. 
  In particular, postscript and media formats can be used to attack 
viewers and decoders.

Web compat does not require this behavior: Gecko only allows 
"text/plain" and "application/octet-stream" as output types when the 
Apache workaround is being applied, and we have been successfully 
shipping this for a while.  I would strongly oppose changing the Gecko 
behavior here due to the security implications.

Given the security risks and the lack of web compat issues, I believe 
the spec should not require the behavior it currently requires.

Received on Tuesday, 27 August 2013 16:27:27 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:07 UTC