[whatwg] Style sheet loading and parsing (over HTTP)
Ian Hickson
ian at hixie.ch
Thu May 24 09:19:52 PDT 2007
On Thu, 24 May 2007, Gervase Markham wrote:
> Jon Barnett wrote:
> > It's detrimental to the user when the user is denied content or a stylesheet
> > for the content because a server is misconfigured. There are cases, such as
> > CSS documents and images referenced by CSS documents, where ignoring
> > Content-type is never harmful. in other cases, the harm can be mitigated by
> > the rules in the spec.
>
> It's also detrimental to the user when they are put at security risk
> because MIME types are not respected.
>
> Recent example: spammers, phishers and other sundry evildoers have
> started attaching HTML attachments to Bugzilla installations, and using
> them as redirectors to their sites, to avoid domain name blacklists in
> spam filtering software.
>
> Obvious solution: if an attachment is uploaded by a user with no
> permissions and its MIME type is one which contains script executed by
> the browser (all HTML types, SVG, ...) then change it to "text/plain".
> This is the least intrusive option - the attachment can still be viewed,
> and someone with permissions can change the MIME type later after
> checking the content.
>
> However, this doesn't protect anyone using IE, because IE claims to know
> better and ignores Content-Type.
Note that the HTML5 spec requires browsers not to convert text/plain to a
more dangerous type (text/plain is either treated as text/plain or
application/octet-stream according to the spec).
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list