[whatwg] <object> behavior

Ben Laurie benl at google.com
Sat Oct 17 00:44:40 PDT 2009


On Fri, Oct 16, 2009 at 9:55 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/16/09 8:21 PM, Ben Laurie wrote:
>>
>> The point is that if I think I'm sourcing something safe but it can be
>> overridden by the MIME type, then I have a problem.
>
> Perhaps we need an attribute on <object> that says to only render the data
> if the server provided type and @type match?  That way you can address your
> use case by setting that attribute and we don't enable attacks on random
> servers by allowing @type to override the server-provided type?

That would work.



More information about the whatwg mailing list