> I think that's Ian's point, that for those file types, we need CT, but for
> others, like manifest files, and image and plugins we shouldn't need.

If we take this route, I think we'd be essentially making sure that
many web applications that are safe today will gradually acquire new
security bugs out of the blue as the UA "magic signature" detection
logic is extended in the future (as it inevitably will - to account
for new plugins, new formats with scripting capabilities or other
interesting side effects, etc).

An out-of-band signalling mechanism has far superior security
properties compares to an in-band one, given how many if not most web
apps are designed today. It may be that they are designed the "wrong"
way, but the security rules were never particularly clear, and serving
content off-domain added a lot of complexity around topics such as
auth, so I think it's best to be forgiving and accommodate that. The
examples of CSV exports, text documents, and several more exotic
things aside, most JSONP APIs give the attacker broad control over the
first few bytes of the response.


Reply via email to