[whatwg] Video with MIME type application/octet-stream
David Singer
singer at apple.com
Thu Sep 9 16:44:26 PDT 2010
On Sep 9, 2010, at 16:38 , Andy Berkheimer wrote:
> Much of this discussion has focused on the careless server operator. What about the careful ones?
>
> Given the past history of content sniffing and security warts, it is useful - or at least comforting - to have a path for the careful server to indicate "I know this file really is intended to be handled as this type, please don't sniff it". This is particularly true for a server handling sanitized files from unknown sources, as no sanitizer will be perfect.
>
> Today we approximate this through accurate use of Content-Type and a recent addition of X-Content-Type-Options: nosniff.
>
> Never sniffing sounds idyllic and always sniffing makes life a bit riskier for careful server operators. The proposals of limiting video/audio sniffing to a few troublesome Content-Types are quite reasonable.
I think I agree.
The minimum I can think of is
sniff when (a) suspect types are supplied and (b) they are 'auto-generated' (e.g. by a web server). If either are not true, you shouldn't need to sniff. Someone who writes
<source ... type="video/frubotziger" ... />
causes both tests to fail and deserves to be believed (and get the consequences). (Have you SEEN frubotziger format video :-))
>
> -Andy
>
> On Thu, Sep 9, 2010 at 3:07 AM, Philip Jägenstedt <philipj at opera.com> wrote:
> I think we should always sniff or never sniff, for simplicity.
>
> Philip
David Singer
Multimedia and Software Standards, Apple Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100909/a7e14ba6/attachment-0002.htm>
More information about the whatwg
mailing list