W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2014

Re: [whatwg] [mimesniff] The Apache workaround should not sniff random types

From: Gordon P. Hemsley <me@gphemsley.org>
Date: Fri, 17 Jan 2014 00:34:36 -0500
Message-ID: <52D8C0EC.7070205@gphemsley.org>
To: Boris Zbarsky <bzbarsky@MIT.EDU>, whatwg <whatwg@lists.whatwg.org>
On 08/27/2013 12:26 PM, Boris Zbarsky wrote:
> The current mimesniff spec says that when the Apache workaround is
> applied sniffing should still be able to detect the content as
> PostScript, images, videos, archives, audio formats, etc.
>
> I feel that this poses an unacceptable security risk due to allowing
> content through firewalls that is then interpreted differently by a UA.
>   In particular, postscript and media formats can be used to attack
> viewers and decoders.
>
> Web compat does not require this behavior: Gecko only allows
> "text/plain" and "application/octet-stream" as output types when the
> Apache workaround is being applied, and we have been successfully
> shipping this for a while.  I would strongly oppose changing the Gecko
> behavior here due to the security implications.
>
> Given the security risks and the lack of web compat issues, I believe
> the spec should not require the behavior it currently requires.
>
> -Boris

I have finally made this change. Please confirm that this is what you 
had in mind:

https://github.com/whatwg/mimesniff/commit/d7bafc16ee480a5dea4c27d60dd5272388e022ce

http://mimesniff.spec.whatwg.org/#rules-for-text-or-binary

-- 
Gordon P. Hemsley
me@gphemsley.org
http://gphemsley.org/
Received on Friday, 17 January 2014 05:34:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:15 UTC