[whatwg] [mimesniff] The Apache workaround should not sniff random types

Boris Zbarsky bzbarsky at MIT.EDU
Tue Aug 27 09:26:53 PDT 2013

The current mimesniff spec says that when the Apache workaround is 
applied sniffing should still be able to detect the content as 
PostScript, images, videos, archives, audio formats, etc.

I feel that this poses an unacceptable security risk due to allowing 
content through firewalls that is then interpreted differently by a UA. 
  In particular, postscript and media formats can be used to attack 
viewers and decoders.

Web compat does not require this behavior: Gecko only allows 
"text/plain" and "application/octet-stream" as output types when the 
Apache workaround is being applied, and we have been successfully 
shipping this for a while.  I would strongly oppose changing the Gecko 
behavior here due to the security implications.

Given the security risks and the lack of web compat issues, I believe 
the spec should not require the behavior it currently requires.


More information about the whatwg mailing list