[whatwg] Zip archives as first-class citizens
Michal Zalewski
lcamtuf at coredump.cx
Wed Aug 28 08:50:16 PDT 2013
Two implementation risks to keep in mind:
1) Both jar: and mhtml: (which work or worked in a very similar way)
have caused problems in absence of strict Content-Type matching. In
essence, it is relatively easy for something like a valid
user-supplied text document or an image to be also a valid archive.
Such archives may end up containing "files" that the owner of the
website never intended to host in their origin.
2) Both schemes also have a long history of breaking origin / host
name parsing in various places in the browser and introducing security
bugs.
/mz
More information about the whatwg
mailing list