The current mimesniff spec says that when the Apache workaround is
applied sniffing should still be able to detect the content as
PostScript, images, videos, archives, audio formats, etc.
I feel that this poses an unacceptable security risk due to allowing
content through firewalls that is then interpreted differently by a UA.
In particular, postscript and media formats can be used to attack
viewers and decoders.
Web compat does not require this behavior: Gecko only allows
"text/plain" and "application/octet-stream" as output types when the
Apache workaround is being applied, and we have been successfully
shipping this for a while. I would strongly oppose changing the Gecko
behavior here due to the security implications.
Given the security risks and the lack of web compat issues, I believe
the spec should not require the behavior it currently requires.
-Boris
- [whatwg] [mimesniff] The Apache workaround should not sn... Boris Zbarsky
-
