Re: [css2.1] Handling of style sheets with no MIME type, or an unparseable MIME type

* Zack Weinberg wrote:
>Mozilla happens to treat the absence of a content-type, an unparseable
>content-type, and a handful of 'sentinel' values that are not
>*supposed* to appear on the wire (but nothing prevents this) as
>equivalent to text/css.  However, CVE-2010-0654 (see
>https://bugzilla.mozilla.org/show_bug.cgi?id=524223 for extensive
>discussion) makes me think this is not a good idea.

Do we know what browser vendors did exactly the last couple of times
this issue came up? I recall for instance CAN-2002-0191 in 2002, and
<http://www.hacker.co.il/security/ie/css_import.html> in 2005. It is
mentioned in MS02-023 for example, but details are scarce.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

Received on Thursday, 3 June 2010 20:44:41 UTC