[whatwg] <object> behavior

Ben Laurie benl at google.com
Fri Oct 16 17:21:27 PDT 2009


On Fri, Oct 16, 2009 at 6:04 PM, Mike Shaver <mike.shaver at gmail.com> wrote:
> On Fri, Oct 16, 2009 at 5:56 PM, Ben Laurie <benl at google.com> wrote:
>> On Fri, Oct 16, 2009 at 5:48 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>>> This is, imo, a much bigger problem than that of people embedding content
>>> from an untrusted site and getting content X instead of content Y,
>>> especially because content X can't actually access the page that contains
>>> it, right?
>>
>> Flash can, for example.
>
> If Flash can do bad things, then sourcing Flash from an untrusted site
> and getting malicious Flash with the expected MIME type doesn't seem
> like it's any better than getting malicious Quicktime or Java or
> whatever via a switched MIME type.  Is there something I'm missing?

The point is that if I think I'm sourcing something safe but it can be
overridden by the MIME type, then I have a problem.

>
> Mike
>


More information about the whatwg mailing list