On Thu, May 7, 2009 at 3:55 PM, Aaron Boodman <[email protected]> wrote: > On Thu, May 7, 2009 at 3:52 PM, Evan Martin <[email protected]> wrote: >> Options here (I can't tell if you're suggesting #2 or #3): >> 1) filename extension only (what I'm suggesting) >> 2) require both filename extension and sniffing to match (seems to be >> only minimally different from option #1 -- the delta is cases where >> you have a .crx that is *not* an extension, but you'll also have this >> with corrupt extension files where you ought to have some UI to handle >> it anyway) >> 3) ignore filename, try sniffing out of other app/octet-stream files. >> Seems unpredictable to me. > > I was suggesting 2), trying to avoid the case where we mistake some > existing blob on the web that happens to end in .crx as an extension.
Ugg. I basically agree with Adam. Here's what I'd recommend: 1) If the response has the right MIME type, then we can believe that the site has endorsed the extension. As Adam says, "Site http://foo.bar.com wises to install an extension." 2) If the response has one of the following Content-Types: * No Content-Type * text/plain * application/octet-stream AND the URL has the ".crx" extension AND the response starts with a magic string (such as "CHROME EXTENSION"), then believe that the response is an extension, but don't believe that the site has endorsed the extension. As Adam says, "An unknown party wishes to install an extension." Adam --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
