- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 28 Aug 2013 17:21:59 +0100
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: WHATWG <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>
On Wed, Aug 28, 2013 at 4:50 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: > 1) Both jar: and mhtml: (which work or worked in a very similar way) > have caused problems in absence of strict Content-Type matching. In > essence, it is relatively easy for something like a valid > user-supplied text document or an image to be also a valid archive. > Such archives may end up containing "files" that the owner of the > website never intended to host in their origin. This also seems like a problem for being able to navigate to a zip archive's resources. E.g. if you have a hosting service for zip archives someone could upload one with an HTML subresource that executes some malicious script and trick users into navigating to http://hosting.example/pinkpony%!look.html I wonder if that is enough of a concern to not support navigating to zip resources at all. Or is Gecko's jar support enough to not have to care about this? (But we probably should do more than sniffing as you point out.) > 2) Both schemes also have a long history of breaking origin / host > name parsing in various places in the browser and introducing security > bugs. -- http://annevankesteren.nl/
Received on Wednesday, 28 August 2013 16:22:26 UTC