W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2014

Re: [whatwg] AppCache Content-Type Security Considerations

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Tue, 13 May 2014 09:57:41 -0700
Message-ID: <CALx_OUAMD4s96fwMix9kRqC-Ri4Ccaqii2bQKRhWHVtjUasioA@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: whatwg <whatwg@lists.whatwg.org>, "Eduardo' Vela\\ <Nava>" <evn@google.com>, Adam Barth <w3c@adambarth.com>
>> Yup, from the perspective of a significant proportion of modern
>> websites, MIME sniffing would be almost certainly a disaster.
> I'm not suggesting sniffing, I'm suggesting having a single well-defined
> algorithm with well-defined fixed signatures.
> For formats that don't have signatures, this doesn't work, obviously.

We probably can't support a well-defined algorithm for detecting
documents that have distinctive signatures while safely supporting
formats that don't have them (because there is always a possibility
that the non-structured format with user-controlled data could be used
to forge a signature).
Received on Tuesday, 13 May 2014 16:59:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:20 UTC