- From: Gordon P. Hemsley <me@gphemsley.org>
- Date: Fri, 17 Jan 2014 00:34:36 -0500
- To: Boris Zbarsky <bzbarsky@MIT.EDU>, whatwg <whatwg@lists.whatwg.org>
On 08/27/2013 12:26 PM, Boris Zbarsky wrote: > The current mimesniff spec says that when the Apache workaround is > applied sniffing should still be able to detect the content as > PostScript, images, videos, archives, audio formats, etc. > > I feel that this poses an unacceptable security risk due to allowing > content through firewalls that is then interpreted differently by a UA. > In particular, postscript and media formats can be used to attack > viewers and decoders. > > Web compat does not require this behavior: Gecko only allows > "text/plain" and "application/octet-stream" as output types when the > Apache workaround is being applied, and we have been successfully > shipping this for a while. I would strongly oppose changing the Gecko > behavior here due to the security implications. > > Given the security risks and the lack of web compat issues, I believe > the spec should not require the behavior it currently requires. > > -Boris I have finally made this change. Please confirm that this is what you had in mind: https://github.com/whatwg/mimesniff/commit/d7bafc16ee480a5dea4c27d60dd5272388e022ce http://mimesniff.spec.whatwg.org/#rules-for-text-or-binary -- Gordon P. Hemsley me@gphemsley.org http://gphemsley.org/
Received on Friday, 17 January 2014 05:34:55 UTC