- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 02 Dec 2009 19:25:17 +0100
- To: David Booth <david@dbooth.org>
- CC: Jonathan Rees <jar@creativecommons.org>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, www-tag@w3.org
David Booth wrote:
> ...
> But my question was innocent. I wasn't sure whether
> non-security-related cases had already been ruled out for some reason.
> If there isn't a particular reason to exclude them, I would suggest
> adding the word "especially" to the proposed update:
>
> If the Content-Type header field _is_ present, recipients SHOULD NOT
> examine the content and override the specified type, *especially* if the
> change would significantly alter the security exposure ('privilege
> escalation').
> ...
I personally think that SHOULD NOT is good advice. However, that has
failed in practice. UAs *do* sniff.
If you're serious about this, how about getting this into HTML5?
Best regards, Julian
Received on Wednesday, 2 December 2009 18:25:57 UTC