[whatwg] [mimesniff] The Apache workaround should not sniff random types
Gordon P. Hemsley
me at gphemsley.org
Sat Nov 16 06:55:19 PST 2013
On 8/27/13 12:26 PM, Boris Zbarsky wrote:
> The current mimesniff spec says that when the Apache workaround is
> applied sniffing should still be able to detect the content as
> PostScript, images, videos, archives, audio formats, etc.
>
> I feel that this poses an unacceptable security risk due to allowing
> content through firewalls that is then interpreted differently by a UA.
> In particular, postscript and media formats can be used to attack
> viewers and decoders.
>
> Web compat does not require this behavior: Gecko only allows
> "text/plain" and "application/octet-stream" as output types when the
> Apache workaround is being applied, and we have been successfully
> shipping this for a while. I would strongly oppose changing the Gecko
> behavior here due to the security implications.
>
> Given the security risks and the lack of web compat issues, I believe
> the spec should not require the behavior it currently requires.
>
> -Boris
I'm inclined to agree.
Having heard no objection (or, indeed, any discussion whatsoever) in the
last 3 months, I plan to move ahead with this proposed change.
Anyone else have anything to say before I do?
--
Gordon P. Hemsley
me at gphemsley.org
http://gphemsley.org/
More information about the whatwg
mailing list