I don't understand, Philip. A central case of this document involves taking documents that look like text/html but are labeled as text/plain and "sniffing" them to be text/html after all.
It's claimed that this is necessary, part of most browsers today, regular practice, etc. Are you opposed to specifying sniffing from text/plain to text/html? In any case? Larry -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Philip Gladstone Sent: Monday, October 24, 2011 9:24 AM To: [email protected] Subject: Re: [websec] #21: sniffing of text/html shouldn't override polyglot label of application/xhtml+xml On 10/23/2011 7:52 PM, websec issue tracker wrote: > > (One still might want to sniff text/html when the type is labeled > text/plain, for example, but not for other polyglot cases.) This would be a disaster. For security reasons, a web server needs to know when a document will be "executed" rather than "displayed". Currently, using text/plain will display any document literally. Causing a document that looks like html to be executed will open lots of web sites to XSS. Philip _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
