Does this mean that the "view page source" link that comes up when the anonymity doesn't work in IE?
Perhaps a better approach is to treat the detection of *any* html in a text/plain document as a potential threat and warn the user (being careful to modify the "View page source" link since it would likely be ineffective). Ian. On Mon, Sep 02, 2002 at 08:06:44PM +0100, Matthew Toseland wrote: > If you insert a page of HTML as text/plain, it will not be filtered, > being a 'safe' content-type. However, M$IE (tested a fairly recent > version - somewhere between 5 and 6 inclusive), will recognize the HTML, > and render it. So... we need to have loud warnings not to use IE, all > over the place, in the README, but especially, we need fproxy to scan > for IE's header signature, and if detected bring up a clickthrough page > (like for new build versions, make it a bit more stubborn - force users > to copy a URL into the address bar by hand would do it), explaining all > this if it detects M$IE using it. Alternatively, we could filter out bad > HTML/CSS regardless of the supposed MIME type. -- Ian Clarke ian at freenetproject.org Founder & Coordinator, The Freenet Project http://freenetproject.org/ Chief Technology Officer, Uprizer Inc. http://www.uprizer.com/ Personal Homepage http://locut.us/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20020902/124d0fb8/attachment.pgp>
