[whatwg] <object> behavior
Ben Laurie
benl at google.com
Sat Oct 17 00:44:40 PDT 2009
On Fri, Oct 16, 2009 at 9:55 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/16/09 8:21 PM, Ben Laurie wrote:
>>
>> The point is that if I think I'm sourcing something safe but it can be
>> overridden by the MIME type, then I have a problem.
>
> Perhaps we need an attribute on <object> that says to only render the data
> if the server provided type and @type match? That way you can address your
> use case by setting that attribute and we don't enable attacks on random
> servers by allowing @type to override the server-provided type?
That would work.
More information about the whatwg
mailing list