> I disagree. Much of the Web actually relies on this today, and for the
> most part it works. For example, when you do:
>    <img src="foo" ...>
> ...the Content-Type is ignored except for SVG.

Well, <img> is actually a fairly special case of content that is
difficult for attackers to spoof and that can't be easily read back
across domains without additional CORS headers. But I believe that in
Chrome and in Firefox, C-T checks or other mitigations have been
recently added at least <script>, <link rel=stylesheet>, and <object>
/ <embed>, all of which lead to interesting security problems when
they are used to load other types of documents across origins. Similar
changes are being made also for a couple of other cases, such as <a


Reply via email to