[whatwg] Zip archives as first-class citizens

Michal Zalewski lcamtuf at coredump.cx
Wed Aug 28 08:50:16 PDT 2013


Two implementation risks to keep in mind:

1) Both jar: and mhtml: (which work or worked in a very similar way)
have caused problems in absence of strict Content-Type matching. In
essence, it is relatively easy for something like a valid
user-supplied text document or an image to be also a valid archive.
Such archives may end up containing "files" that the owner of the
website never intended to host in their origin.

2) Both schemes also have a long history of breaking origin / host
name parsing in various places in the browser and introducing security
bugs.

/mz



More information about the whatwg mailing list