[whatwg] Video with MIME type application/octet-stream

David Singer singer at apple.com
Thu Sep 9 16:44:26 PDT 2010


On Sep 9, 2010, at 16:38 , Andy Berkheimer wrote:

> Much of this discussion has focused on the careless server operator.  What about the careful ones?
> 
> Given the past history of content sniffing and security warts, it is useful - or at least comforting - to have a path for the careful server to indicate "I know this file really is intended to be handled as this type, please don't sniff it".  This is particularly true for a server handling sanitized files from unknown sources, as no sanitizer will be perfect.
> 
> Today we approximate this through accurate use of Content-Type and a recent addition of X-Content-Type-Options: nosniff.
> 
> Never sniffing sounds idyllic and always sniffing makes life a bit riskier for careful server operators.  The proposals of limiting video/audio sniffing to a few troublesome Content-Types are quite reasonable.

I think I agree.  

The minimum I can think of is

sniff when (a) suspect types are supplied and (b) they are 'auto-generated' (e.g. by a web server).  If either are not true, you shouldn't need to sniff.  Someone who writes

 <source ... type="video/frubotziger" ... /> 

causes both tests to fail and deserves to be believed (and get the consequences). (Have you SEEN frubotziger format video :-))

> 
> -Andy
> 
> On Thu, Sep 9, 2010 at 3:07 AM, Philip Jägenstedt <philipj at opera.com> wrote:
> I think we should always sniff or never sniff, for simplicity.
> 
> Philip

David Singer
Multimedia and Software Standards, Apple Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100909/a7e14ba6/attachment-0002.htm>


More information about the whatwg mailing list