[whatwg] Video with MIME type application/octet-stream
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Sep 8 13:04:24 PDT 2010
On 9/8/10 3:58 PM, Aryeh Gregor wrote:
> And the problem is that you don't want to keep the data handy in case
> it fails?
Yes. The problem is that I don't want to have to buffer up
potentially-arbitrary amounts of data.
>> Yes. Undocumented sniffing behaviour has caused many vulnerabilities, as
>> even well-known sniffing behaviour continues to do (see the current
>> publicised difficulties with CSS-inclusion attacks). Lack of sniffing
>> behaviour, however, has never caused a vulnerability. It fails safe.
>
> The CSS-inclusion attacks that I'm aware of involve @import-ing an
> HTML document and observing what syntax errors occur. There is no
> sniffing that occurs there.
There sort of is. There's the fact that for quirks documents the
Content-Type for style sheet resources was ignored. (Note that the
syntax errors are not what the issue was about, btw.)
-Boris
More information about the whatwg
mailing list