[whatwg] Video with MIME type application/octet-stream

Boris Zbarsky bzbarsky at MIT.EDU
Wed Sep 8 13:04:24 PDT 2010


On 9/8/10 3:58 PM, Aryeh Gregor wrote:
> And the problem is that you don't want to keep the data handy in case
> it fails?

Yes.  The problem is that I don't want to have to buffer up 
potentially-arbitrary amounts of data.

>> Yes. Undocumented sniffing behaviour has caused many vulnerabilities, as
>> even well-known sniffing behaviour continues to do (see the current
>> publicised difficulties with CSS-inclusion attacks). Lack of sniffing
>> behaviour, however, has never caused a vulnerability. It fails safe.
>
> The CSS-inclusion attacks that I'm aware of involve @import-ing an
> HTML document and observing what syntax errors occur.  There is no
> sniffing that occurs there.

There sort of is.  There's the fact that for quirks documents the 
Content-Type for style sheet resources was ignored.  (Note that the 
syntax errors are not what the issue was about, btw.)

-Boris



More information about the whatwg mailing list