[whatwg] Video with MIME type application/octet-stream

Gregory Maxwell gmaxwell at gmail.com
Tue Aug 31 21:27:36 PDT 2010


On 8/31/10, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
> If you can't come up with any actual problems with what IE is doing,
> then why is anything else even being considered?  There's a very
> clear-cut problem with relying on MIME types: MIME types are often
> wrong and hard for authors to configure, and this is not going to
> change anytime soon.

Aggressive sniffing can and has resulted in some pretty nasty security bugs.

E.g. an attacker crafts an input that a website identifies as video
and permits the upload but which a browser sniffs out to be a java jar
which can then access the source URL with the permissions of the user.

The sniffing rules, in some contexts and some browsers can also end up
causing surprising failures... e.g. I've seen older versions of some
sniffing heavy browsers automatically switch into UCS-2LE encoding at
wrong and surprising times. Perhaps this is irrelevant in a video
specific discussion of sniffing— but it is a hazard with sniffing in
general.  Moreover, it'll never be consistent from implementation to
implementation, which seems to me to be pretty antithetical to
standardization in general.



More information about the whatwg mailing list