Based on my reading of the source code, it seems that Gecko treats a resource served as 'application/octet-stream' as an unknown type which is sniffed as if no Content-Type was specified.
Are there security implications with doing this? Or should I add 'application/octet-stream' to the list of unknown types that currently includes 'unknown/unknown', 'application/unknown', and '*/*' (step 2 of the "media type sniffing algorithm")? Or, given that that step calls the "rules for identifying an unknown media type" with the sniff-scriptable flag set, should it get its own call, with the sniff-scriptable flag unset? Are there other options here? I haven't checked what UAs actually do in practice, but I don't believe the spec currently allows anything but leaving resources tagged as 'application/octet-stream' as they are. -- Gordon P. Hemsley [email protected] http://gphemsley.org/ • http://gphemsley.org/blog/
