[whatwg] Style sheet loading and parsing (over HTTP)
Ian Hickson
ian at hixie.ch
Fri May 25 02:48:23 PDT 2007
On Fri, 25 May 2007, Gervase Markham wrote:
>
> Although I also mention my story as a general counterpoint to the "Well,
> obviously the browser should Do The Right Thing if the Content-Type is
> wrong" viewpoint. Content sniffing can have security consequences.
Yes, content-sniffing capable of privilege escalation is dangerous. I
don't think the HTML5 sniffing algorithm can ever do that, but let me know
if you find a way in which it can.
(<img> element sniffing is under-defined right now, I need to define "a
valid image" to not include SVG unless it has a privileged MIME type. But
that's the only hole I know of.)
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list