Re: [whatwg] [mimesniff] The Apache workaround should not sniff random types
On 08/27/2013 12:26 PM, Boris Zbarsky wrote: The current mimesniff spec says that when the Apache workaround is applied sniffing should still be able to detect the content as PostScript, images, videos, archives, audio formats, etc. I feel that this poses an unacceptable security risk due to allowing content through firewalls that is then interpreted differently by a UA. In particular, postscript and media formats can be used to attack viewers and decoders. Web compat does not require this behavior: Gecko only allows "text/plain" and "application/octet-stream" as output types when the Apache workaround is being applied, and we have been successfully shipping this for a while. I would strongly oppose changing the Gecko behavior here due to the security implications. Given the security risks and the lack of web compat issues, I believe the spec should not require the behavior it currently requires. -Boris I have finally made this change. Please confirm that this is what you had in mind: https://github.com/whatwg/mimesniff/commit/d7bafc16ee480a5dea4c27d60dd5272388e022ce http://mimesniff.spec.whatwg.org/#rules-for-text-or-binary -- Gordon P. Hemsley m...@gphemsley.org http://gphemsley.org/
[whatwg] MetaExtensions for HTML5 vs. custom tagging
Over the years, my company has developed custom IBM.xxx meta tags for our internal and external web pages that are used by various internal tools. My question has two parts: 1) Is there an allowance for custom taxonomy definition that is not a proposal for general acceptance? For example, if we manage our own company-specific meta data schema and linked our pages two it, would it pass validation? If so, is there a spec that shows how to create our own schema? 2) The "Registered Extensions" table at http://wiki.whatwg.org/wiki/MetaExtensions still show status of "proposal" for all tags. Does that imply that they are not fully accepted as extensions? For example, -- I would like to know that Dublin Core is accepted, so that I can rely on its continued support. -- However, there are also redundant examples in that table (e.g. web_author and designer) and tool-specific proposals that could be made more generic for broader use (e.g. Web Trends wt.xxx could become analytics.xxx). Is there a timeline to update the status to "accepted" for those that will be supported in the future? Thanks for your advice. Christine Smith IBM
