[whatwg] <object> behavior

Mike Shaver mike.shaver at gmail.com
Fri Oct 16 15:04:21 PDT 2009


On Fri, Oct 16, 2009 at 5:56 PM, Ben Laurie <benl at google.com> wrote:
> On Fri, Oct 16, 2009 at 5:48 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>> This is, imo, a much bigger problem than that of people embedding content
>> from an untrusted site and getting content X instead of content Y,
>> especially because content X can't actually access the page that contains
>> it, right?
>
> Flash can, for example.

If Flash can do bad things, then sourcing Flash from an untrusted site
and getting malicious Flash with the expected MIME type doesn't seem
like it's any better than getting malicious Quicktime or Java or
whatever via a switched MIME type.  Is there something I'm missing?

Mike



More information about the whatwg mailing list