[whatwg] <object> behavior
Boris Zbarsky
bzbarsky at MIT.EDU
Fri Oct 16 18:55:33 PDT 2009
On 10/16/09 8:21 PM, Ben Laurie wrote:
> The point is that if I think I'm sourcing something safe but it can be
> overridden by the MIME type, then I have a problem.
Perhaps we need an attribute on <object> that says to only render the
data if the server provided type and @type match? That way you can
address your use case by setting that attribute and we don't enable
attacks on random servers by allowing @type to override the
server-provided type?
-Boris
More information about the whatwg
mailing list