[whatwg] Zip archives as first-class citizens

Anne van Kesteren annevk at annevk.nl
Wed Aug 28 09:21:59 PDT 2013


On Wed, Aug 28, 2013 at 4:50 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> 1) Both jar: and mhtml: (which work or worked in a very similar way)
> have caused problems in absence of strict Content-Type matching. In
> essence, it is relatively easy for something like a valid
> user-supplied text document or an image to be also a valid archive.
> Such archives may end up containing "files" that the owner of the
> website never intended to host in their origin.

This also seems like a problem for being able to navigate to a zip
archive's resources. E.g. if you have a hosting service for zip
archives someone could upload one with an HTML subresource that
executes some malicious script and trick users into navigating to
http://hosting.example/pinkpony%!look.html

I wonder if that is enough of a concern to not support navigating to
zip resources at all. Or is Gecko's jar support enough to not have to
care about this? (But we probably should do more than sniffing as you
point out.)


> 2) Both schemes also have a long history of breaking origin / host
> name parsing in various places in the browser and introducing security
> bugs.


-- 
http://annevankesteren.nl/



More information about the whatwg mailing list