> Agree with this one. > With one addition: it must be clear, that if you "opt-in" for sniffing, than > you MUST (SHOULD?) follow the mime-sniffing algorithm.
I don't think that's possible. I think the crux of this issue is that I don't think the "mime-sniffing algorithm" is currently structured in a way that lets the results be "opt-in" on a case-by-case basis. For example, the algorithm starts with an analysis of existing content-type headers, and winds up, in its state transition and communication paths, not letting later stages of the algorithm know whether the supplied content-type was malformed, whether there were two rather than one, etc. So if you follow the algorithm, you don't have any way (at least if you're just following this algorithm) of "opting" later in ways that want to distinguish. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
