[whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

Boris Zbarsky bzbarsky at MIT.EDU
Wed Nov 28 22:48:46 PST 2012


On 11/29/12 1:30 AM, Gordon P. Hemsley wrote:
> Based on my reading of the source code, it seems that Gecko treats a
> resource served as 'application/octet-stream' as an unknown type which
> is sniffed as if no Content-Type was specified.

Only for media (<video> and <audio>) loads.  Note that the HTML spec 
requires this behavior for those.

> Are there security implications with doing this?

In general, yes.  Doing this for document loads would be a security 
nightmare, for example.

-Boris



More information about the whatwg mailing list