- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 28 Aug 2013 08:50:16 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>
Two implementation risks to keep in mind: 1) Both jar: and mhtml: (which work or worked in a very similar way) have caused problems in absence of strict Content-Type matching. In essence, it is relatively easy for something like a valid user-supplied text document or an image to be also a valid archive. Such archives may end up containing "files" that the owner of the website never intended to host in their origin. 2) Both schemes also have a long history of breaking origin / host name parsing in various places in the browser and introducing security bugs. /mz
Received on Wednesday, 28 August 2013 15:51:12 UTC