On 10/23/2011 7:52 PM, websec issue tracker wrote:
(One still might want to sniff text/html when the type is labeled
text/plain, for example, but not for other polyglot cases.)
This would be a disaster. For security reasons, a web server needs to
know when a document will be "executed" rather than "displayed".
Currently, using text/plain will display any document literally. Causing
a document that looks like html to be executed will open lots of web
sites to XSS.
Philip
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
