- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Tue, 13 May 2014 20:00:05 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: whatwg <whatwg@lists.whatwg.org>, "Eduardo' Vela\\\\ <Nava>" <evn@google.com>, Adam Barth <w3c@adambarth.com>
> I disagree. Much of the Web actually relies on this today, and for the > most part it works. For example, when you do: > > <img src="foo" ...> > > ...the Content-Type is ignored except for SVG. Well, <img> is actually a fairly special case of content that is difficult for attackers to spoof and that can't be easily read back across domains without additional CORS headers. But I believe that in Chrome and in Firefox, C-T checks or other mitigations have been recently added at least <script>, <link rel=stylesheet>, and <object> / <embed>, all of which lead to interesting security problems when they are used to load other types of documents across origins. Similar changes are being made also for a couple of other cases, such as <a download>. /mz
Received on Wednesday, 14 May 2014 03:00:50 UTC