[whatwg] [mimesniff] The Apache workaround should not sniff random types

Boris Zbarsky bzbarsky at MIT.EDU
Tue Aug 27 09:26:53 PDT 2013

Previous message: [whatwg] Elements should be removed from the past names map once it's no longer associated with the form element
Next message: [whatwg] Script preloading
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The current mimesniff spec says that when the Apache workaround is 
applied sniffing should still be able to detect the content as 
PostScript, images, videos, archives, audio formats, etc.

I feel that this poses an unacceptable security risk due to allowing 
content through firewalls that is then interpreted differently by a UA. 
  In particular, postscript and media formats can be used to attack 
viewers and decoders.

Web compat does not require this behavior: Gecko only allows 
"text/plain" and "application/octet-stream" as output types when the 
Apache workaround is being applied, and we have been successfully 
shipping this for a while.  I would strongly oppose changing the Gecko 
behavior here due to the security implications.

Given the security risks and the lack of web compat issues, I believe 
the spec should not require the behavior it currently requires.

-Boris

Previous message: [whatwg] Elements should be removed from the past names map once it's no longer associated with the form element
Next message: [whatwg] Script preloading
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the whatwg mailing list