Jon Barnett wrote:
I would propose that the "type" attribute be more meaningful on, for example, the <a> element and the <object> element: - If the "type" attribute is present, the UA must use its value as the value of the Accept request header when requesting a resource
This does not help in the scenario I mention because the link which is used is in the spammer's email - and they are unlikely to be so obliging as to set the "type" attribute correctly to warn Bugzilla.
The plain fact is that the only way for the sensible mitigation strategy to work is for the browser to respect what the server tells it. Perhaps we should invent a new header, Really-Honestly-The-Content-Type-I-Promise, which browsers were forced to respect? <sigh>
That would allow, for example, Bugzilla to use <a type="text/plain"> when linking to an attachment without fear that the attachment might be sniffed as text/html.
See above. Gerv
