Adam Barth wrote:
2009/6/1 Bil Corry b...@corry.biz:
Den.Molib wrote on 6/1/2009 4:55 PM:
follow the last one, as it's the one provided nearer the content.
And by the same logic, the header closest to the content could be the one that
was injected by an attacker (via application hole) -- so
Looping in Dannyb (who may not be on the list, so if necessary, I'll
forward) as I'm in the midst of a conference and can't give this the
attention it deserves.
Chris
On Tue, Jun 2, 2009 at 1:19 PM, Håkon Wium Lie howc...@opera.com wrote:
Also sprach Chris DiBona:
To be clear, there are two
On Tue, Jun 2, 2009 at 12:19 AM, Julian Reschke julian.resc...@gmx.de wrote:
Adam Barth wrote:
In any case, the four major browsers that actually look at the
Content-Type header agree and use the last header. The only browser
that uses the first header more or less ignores it anyway.
Could
On Mon, 18 Aug 2008, Robert O'Callahan wrote:
On Mon, Aug 18, 2008 at 2:19 PM, Ian Hickson i...@hixie.ch wrote:
On Mon, 18 Aug 2008, Robert O'Callahan wrote:
IE7, FF3 and Opera 9.51 compress whitespace when getting
document.title. \t and \n (at least) are converted to spaces, runs
Adam Barth wrote:
Sure. For the sake of discussion, let's say IE6 and IE7. Basically,
if the Content-Type header contains a value IE knows about, then IE
pretty much ignores the value and engages its sniffing algorithm. So,
for example, if a response has:
Content-Type: text/html
On Fri, May 29, 2009 at 12:27 PM, Kristof Zelechovski
giecr...@stegny.2a.pl wrote:
Inserting a SCRIPT element is not equivalent to a server-side include. It
is more like linking to an object file. In particular, substitution macros
(e.g. CONST in BASIC) in one script do not apply other
On Fri, 9 Jan 2009, Boris Zbarsky wrote:
I've recently come across another issue with the origin definition.
Right now, this says:
1) If url does not use a server-based naming authority, or if parsing
url failed, or if url is not an absolute URL, then return a new
globally unique
On Tue, Jun 2, 2009 at 2:23 AM, Ian Hickson i...@hixie.ch wrote:
Adam: I believe that you are editing a draft that also has this algorithm;
hat parts of HTML5 should I be stripping here? Will this particular
algorithm belong in your draft or HTML5? (If the former, can you take this
change
So exactly what is the process by which this gets resolved? Is there one?
On Sun, May 24, 2009 at 10:17 AM, Bruce D'Arcus bdar...@gmail.com wrote:
On Sat, May 23, 2009 at 5:35 PM, Ian Hickson i...@hixie.ch wrote:
...
I agree that BibTeX is suboptimal. But what should we use instead?
As
Bruce D'Arcus wrote:
So exactly what is the process by which this gets resolved? Is there one?
Hixie will respond to substantive emails sent to this list at some
point. However there are some hundreds of outstanding emails (see [1])
so the responses can take a while. If you have a pressing
Adam Barth wrote on 6/2/2009 3:17 AM:
Now, consider the reverse:
Content-Type: image/gif
Content-Type: text/html
In this case, IE renders the image correctly, but Firefox and Chrome
don't show the image. This is less likely to occur on the web because
it doesn't work in Firefox (e.g.,
On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry b...@corry.biz wrote:
It's less likely to occur legitimately, but more likely to occur under a
header injection scenario.
As I wrote before in this thread, if the attacker can inject headers,
there are far more severe attacks than changing the type of
On 2 Jun 2009, at 02:58, Chris DiBona wrote:
One participant quoted one of the examples from the LGPL 2.1, which
says For example, if a patent license would not permit royalty-free
redistribution of the Library by all those who receive copies directly
or indirectly through you, then the only
Adam Barth wrote on 6/2/2009 11:47 AM:
On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry b...@corry.biz wrote:
It's less likely to occur legitimately, but more likely to occur under a
header injection scenario.
As I wrote before in this thread, if the attacker can inject headers,
there are far
On Wed, 14 Jan 2009, Cameron McCormack wrote:
I began testing all attributes and operations with DOMString arguments
from a selection of specs for their behaviour wrt null and undefined:
http://mcc.id.au/2009/01/string-handling/string-handling
Each pair of characters in the column for
I was wrong: CONST values and conditional compilation variables land as
properties of the window, which means they are unavailable to other scripts
only if the defining script is external and deferred.
Still, I do not think this behavior is mandatory for run-time; there may be
symbols that are
On Tue, 02 Jun 2009 19:36:25 +0200, Jonas Sicking jo...@sicking.cc wrote:
Is this something that's really needed for web compatibility though?
Probably not.
Creating a DOM with multiple bodys is hard since the parser will
never output such a DOM. Instead you have to manually set up such a
Bil Corry wrote:
It's less likely to occur legitimately, but more likely to occur under a
header injection scenario. For example, here's a page that simulates serving
an image from an untrusted user[1], with the correct content-type of
image/x-ms-bmp, then a second (injected) content-type
Den.Molib wrote on 6/2/2009 4:19 PM:
Bil Corry wrote:
It's less likely to occur legitimately, but more likely to occur under a
header injection scenario. For example, here's a page that simulates
serving an image from an untrusted user[1], with the correct content-type of
image/x-ms-bmp,
On Tue, Jun 2, 2009 at 7:24 PM, Bil Corryb...@corry.biz wrote:
The server should provide a single content-type header that specifies
text/plain. In the context that there are two content-type headers, then the
answer will depend on which browser you want to protect; IE, set the first
Looping in Danny (in transit)
On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey Sneddon
foolist...@googlemail.com wrote:
On 2 Jun 2009, at 02:58, Chris DiBona wrote:
One participant quoted one of the examples from the LGPL 2.1, which
says For example, if a patent license would not permit royalty-free
On Tue, Jun 2, 2009 at 3:50 AM, Chris DiBona cdib...@gmail.com wrote:
Looping in Dannyb (who may not be on the list, so if necessary, I'll
forward) as I'm in the midst of a conference and can't give this the
attention it deserves.
Chris
On Tue, Jun 2, 2009 at 1:19 PM, Håkon Wium Lie
On Thu, 2 Apr 2009, Bil Corry wrote:
Since the public-webapps list was never able to reconcile[1] HTML5's
Origin header (now renamed XXX-Origin[2]) with CORS's Origin header[3],
we're left with two headers with similar implementations and similar
names. Due to this, it may prudent to
Hello,
Regardless of any decision on whether my recommendation for
document.contentType to be standardized and made settable on a document
created by createDocument() (rather than needing to call the
less-than-intuitive doc.open() fix for HTML), I'd still like to
recommend standardizing on
On Tue, Jun 2, 2009 at 8:20 PM, Chris DiBona cdib...@gmail.com wrote:
Looping in Danny (in transit)
On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey Sneddon
foolist...@googlemail.com wrote:
On 2 Jun 2009, at 02:58, Chris DiBona wrote:
One participant quoted one of the examples from the LGPL 2.1,
On Wed, Jun 3, 2009 at 11:29 AM, Daniel Berlin dan...@google.com wrote:
On Tue, Jun 2, 2009 at 8:20 PM, Chris DiBona cdib...@gmail.com wrote:
Looping in Danny (in transit)
On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey Sneddon
foolist...@googlemail.com wrote:
On 2 Jun 2009, at 02:58, Chris DiBona
On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin dan...@google.com wrote:
[snip]
I would, however, get in trouble for not having paid patent
fees for doing so.
No more or less trouble than you would have gotten in had you gotten
it from ffmpeg instead of us, which combined with the fact that we
On Tue, Jun 2, 2009 at 9:38 PM, Silvia Pfeiffer
silviapfeiff...@gmail.com wrote:
On Wed, Jun 3, 2009 at 11:29 AM, Daniel Berlin dan...@google.com wrote:
On Tue, Jun 2, 2009 at 8:20 PM, Chris DiBona cdib...@gmail.com wrote:
Looping in Danny (in transit)
On Wed, Jun 3, 2009 at 1:38 AM, Geoffrey
On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell gmaxw...@gmail.com wrote:
On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin dan...@google.com wrote:
[snip]
I would, however, get in trouble for not having paid patent
fees for doing so.
No more or less trouble than you would have gotten in had you
On Tue, Jun 2, 2009 at 10:18 PM, Daniel Berlin dan...@google.com wrote:
On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell gmaxw...@gmail.com wrote:
On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin dan...@google.com wrote:
[snip]
I would, however, get in trouble for not having paid patent
fees for
On Tue, Jun 2, 2009 at 10:18 PM, Daniel Berlin dan...@google.com wrote:
On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell gmaxw...@gmail.com wrote:
On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin dan...@google.com wrote:
[snip]
I would, however, get in trouble for not having paid patent
fees for
On Wed, 03 Jun 2009 03:24:29 +0200, Brett Zamir bret...@yahoo.com wrote:
Hello,
Regardless of any decision on whether my recommendation for
document.contentType to be standardized and made settable on a document
created by createDocument() (rather than needing to call the
On Tue, Jun 2, 2009 at 11:51 PM, Gregory Maxwell gmaxw...@gmail.com wrote:
On Tue, Jun 2, 2009 at 10:18 PM, Daniel Berlin dan...@google.com wrote:
On Tue, Jun 2, 2009 at 9:50 PM, Gregory Maxwell gmaxw...@gmail.com wrote:
On Tue, Jun 2, 2009 at 9:29 PM, Daniel Berlin dan...@google.com wrote:
33 matches
Mail list logo