- From: Zack Weinberg <zweinberg@mozilla.com>
- Date: Thu, 3 Jun 2010 17:18:41 -0700
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: W3C Emailing list for WWW Style <www-style@w3.org>
Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Zack Weinberg wrote: > >Mozilla happens to treat the absence of a content-type, an > >unparseable content-type, and a handful of 'sentinel' values that > >are not *supposed* to appear on the wire (but nothing prevents this) > >as equivalent to text/css. However, CVE-2010-0654 (see > >https://bugzilla.mozilla.org/show_bug.cgi?id=524223 for extensive > >discussion) makes me think this is not a good idea. > > Do we know what browser vendors did exactly the last couple of times > this issue came up? I recall for instance CAN-2002-0191 in 2002, and > <http://www.hacker.co.il/security/ie/css_import.html> in 2005. It is > mentioned in MS02-023 for example, but details are scarce. I don't know the history any better than you do, but I would imagine that previous attempts to close this hole didn't worry about the MIME type of the "sheet" very much at all - it seems to have been all on the level of 'well, ok, we need to lock down cross-origin CSSOM accesses'. zw
Received on Friday, 4 June 2010 00:19:17 UTC