On Sun, Oct 18, 2009 at 3:47 PM, Ian Hickson wrote:
> On Sun, 18 Oct 2009, Ben Laurie wrote:
>> On Sun, Oct 18, 2009 at 5:37 AM, Ian Hickson wrote:
>> > On Fri, 16 Oct 2009, Ben Laurie wrote:
>> >> > On Thu, 6 Aug 2009, Andrew Oakley wrote:
>> >>
On Sun, Oct 18, 2009 at 5:37 AM, Ian Hickson wrote:
> On Fri, 16 Oct 2009, Ben Laurie wrote:
>> > On Thu, 6 Aug 2009, Andrew Oakley wrote:
>> >>
>> >> - Should the type attribute take precedence over the Content-Type
>> >> header?
>> >
&g
On Fri, Oct 16, 2009 at 9:55 PM, Boris Zbarsky wrote:
> On 10/16/09 8:21 PM, Ben Laurie wrote:
>>
>> The point is that if I think I'm sourcing something safe but it can be
>> overridden by the MIME type, then I have a problem.
>
> Perhaps we need an attribute on t
On Fri, Oct 16, 2009 at 6:04 PM, Mike Shaver wrote:
> On Fri, Oct 16, 2009 at 5:56 PM, Ben Laurie wrote:
>> On Fri, Oct 16, 2009 at 5:48 PM, Boris Zbarsky wrote:
>>> This is, imo, a much bigger problem than that of people embedding content
>>> from an untrusted
On Fri, Oct 16, 2009 at 5:48 PM, Boris Zbarsky wrote:
> On 10/16/09 4:12 PM, Ben Laurie wrote:
>>
>> I realise this is only one of dozens of ways that HTML is unfriendly
>> to security, but, well, this seems like a bad idea - if the page
>> thinks it is embedding, say,
On Thu, Aug 13, 2009 at 10:05 PM, Ian Hickson wrote:
> On Thu, 6 Aug 2009, Andrew Oakley wrote:
>>
>> The rules in the HTML5 spec for which plugin to load for an do
>> not seem to be followed by any browser, and in some cases are different
>> to behavior that is common to Opera, Webkit and Gecko
