On Thu, Nov 30, 2006 at 10:13:17PM +0000, toad wrote:
> Firefox 2.0 includes an "RSS feed sniffer". What this means is that if a
> file looks like RSS, regardless of its content type (tests show this
> happening with text/plain and image/jpeg, but not text/html), it will be
> treated as RSS and either displayed (previewed?) internally or passed to
> a third party RSS reader app, including all inline images (potentially
> web bugs).
It turns out that XML does not tolerate ANY non-tag characters before
the first tag, and Firefox transparently falls back to the original MIME
type if parsing the RSS fails. The consequences of this:
- If we check the headers of image/png, image/jpeg etc, we can be 100%
sure that anything passed through will NOT be recognized as RSS.
- That leaves text/plain. If we can be sure that a file does not start
with "<", we can safely pass it through. If a file does start with
"<", then we can:
- Convert it to UTF16. We need to know what the charset is to start
with to do this, but it should be safe for the time being (Firefox's
RSS detection only works with US-ASCII based charsets).
- Add an invisible space. Again we need to know the charset, which we
often won't. But this is safer than the first option.
- Add a visible space or newline. This will always work, and will
always be safe, but it *modifies the content*.
Which is best?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20061202/0ae470a4/attachment.pgp>
