[whatwg] <object> behavior

Boris Zbarsky bzbarsky at MIT.EDU
Fri Oct 16 18:55:33 PDT 2009


On 10/16/09 8:21 PM, Ben Laurie wrote:
> The point is that if I think I'm sourcing something safe but it can be
> overridden by the MIME type, then I have a problem.

Perhaps we need an attribute on <object> that says to only render the 
data if the server provided type and @type match?  That way you can 
address your use case by setting that attribute and we don't enable 
attacks on random servers by allowing @type to override the 
server-provided type?

-Boris



More information about the whatwg mailing list