[whatwg] [mimesniff] The Apache workaround should not sniff random types
Boris Zbarsky
bzbarsky at MIT.EDU
Tue Aug 27 09:26:53 PDT 2013
The current mimesniff spec says that when the Apache workaround is
applied sniffing should still be able to detect the content as
PostScript, images, videos, archives, audio formats, etc.
I feel that this poses an unacceptable security risk due to allowing
content through firewalls that is then interpreted differently by a UA.
In particular, postscript and media formats can be used to attack
viewers and decoders.
Web compat does not require this behavior: Gecko only allows
"text/plain" and "application/octet-stream" as output types when the
Apache workaround is being applied, and we have been successfully
shipping this for a while. I would strongly oppose changing the Gecko
behavior here due to the security implications.
Given the security risks and the lack of web compat issues, I believe
the spec should not require the behavior it currently requires.
-Boris
More information about the whatwg
mailing list