On 10/24/2011 12:48 PM, Larry Masinter wrote:
I don't understand, Philip. A central case of this document involves taking documents that look like text/html but are labeled as text/plain and "sniffing" them to be text/html after all. It's claimed that this is necessary, part of most browsers today, regular practice, etc. Are you opposed to specifying sniffing from text/plain to text/html? In any case?
If the web server explicitly says text/plain, then IMHO it should never be sniffed as text/html. Having dealt with security issues where a document was returned (without a mime type) and then interpreted as text/html, and then enabling a serious XSS, I am attuned to this issue. [In my case, this was with a web based ticketing system that allowed the submitter of a ticket to upload arbitrary files as supplementary information. It turned out that these files were then displayed without a content type, and *some* browsers chose to interpret any javascript that was embedded. Moving to an explicit text/plain type fixed that problem, and these files were displayed literally.]
In the case of sniffing image types when the web server gets it wrong, I don't have any experience with what security vulnerabilities that would introduce (if any).
Philip _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
