Marcos Caceres wrote on 11/29/2008 9:39 AM:
> I had a discussion with Henri Sivonen and a few other people in the
> HTML-WG about using HTML5's content-type sniffing as a way of deriving
> the MIME type of files inside a widget package. Henri suggested that
> we should primarily rely on file extensions as a way of mapping files
> to MIME types. Although relying on extensions can be potentially
> unreliable, it seems like a simple solution to a complicated problem.
Content-sniffing can pose it's own problems, here's one example:
http://www.gnucitizen.org/blog/backdooring-images/
> For the spec, I guess it would mean including a table of file
> extension to MIME type mappings into the spec for common IANA
> registered types (MIME type registrations list file extensions).
The Apache (httpd) project includes a file called "mime.types" that maps file
extensions to MIME types. I haven't seen anything more extensive than Apache's.
> As a
> second line of defense, if there is no file extension, or the file
> extension does not map to the file extension to MIME table, then HTML
> content-type sniffing heuristics can be used.
This paper describes how the major browsers do it:
http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf
Firefox specifically appears to do it the way you're proposing here.
- Bil
