W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2014

Re: [whatwg] AppCache Content-Type Security Considerations

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Tue, 13 May 2014 20:00:05 -0700
Message-ID: <CALx_OUAE4=7+_m93kLu9B60E3G4QXAZnTw=SN16bPGdZhWt3zA@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: whatwg <whatwg@lists.whatwg.org>, "Eduardo' Vela\\\\ <Nava>" <evn@google.com>, Adam Barth <w3c@adambarth.com>
> I disagree. Much of the Web actually relies on this today, and for the
> most part it works. For example, when you do:
>
>    <img src="foo" ...>
>
> ...the Content-Type is ignored except for SVG.

Well, <img> is actually a fairly special case of content that is
difficult for attackers to spoof and that can't be easily read back
across domains without additional CORS headers. But I believe that in
Chrome and in Firefox, C-T checks or other mitigations have been
recently added at least <script>, <link rel=stylesheet>, and <object>
/ <embed>, all of which lead to interesting security problems when
they are used to load other types of documents across origins. Similar
changes are being made also for a couple of other cases, such as <a
download>.

/mz
Received on Wednesday, 14 May 2014 03:00:50 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:20 UTC