[whatwg] [mimesniff] Treating application/octet-stream as unknown for sniffing

Adam Barth w3c at adambarth.com
Thu Nov 29 11:30:47 PST 2012

On Wed, Nov 28, 2012 at 10:30 PM, Gordon P. Hemsley <gphemsley at gmail.com> wrote:
> Based on my reading of the source code, it seems that Gecko treats a
> resource served as 'application/octet-stream' as an unknown type which
> is sniffed as if no Content-Type was specified.
> Are there security implications with doing this?

Yes, there are very large security consequences.  I'm sorry that I
don't have time to respond to all of these threads in detail, but I'm
worried that you don't understand the consequences of the changes
you're proposing to this specification.

I'm not sure how to help you succeed here, but tweaking things in the
spec without a compelling reason for doing so is not likely to lead to
a useful specification.  I spent a great deal of time and effort
studying the behaviors of many user agents and of a massive amount of
content on the web.  I'm certainly willing to believe that the spec
can be improved, but if you don't understand these sorts of basic
things about content sniffing, I worry that changes that you make to
the spec won't be improvements.


More information about the whatwg mailing list