Stephan Arts wrote: > You do realize that the assumptions of mimetypes being 'safe' (and > providing additional features accordingly) leads to the most common > security vulnerabilities on the windows platform?
Actually, the vulnerabilities were because provided MIME types got ignored and treated as different types based on file content sniffing. Quite different from this. > I am not saying this would be a waste of time, but unless someone can > come with a solid definition of 'safe', do not even try to implement > anything of this kind. If there is one thing we can learn from MS, > then it is that not doing it right can be worse then not doing it at > all. Everything's unsafe. :-) The epiphany implementation treats everything as unsafe by default. There is a rather small whitelist of types which are considered "safe". This includes things like text/plain and image/jpeg. There is also an explicit blacklist of really unsafe "seriously not cool to ever automatically do default action" stuff such as application/x-shellscript etc. > Please be careful where you are taking this. Nod. I suppose I also should mention that I am a Firefox developer of over 6 years and a longstanding member of the Mozilla Security team, having been hired to do just that while working at Netscape, and I currently do quite a bit of work with the Fedora Security Response team. This proposal has come up precisely because of concerns for hardening our security, and I (among others) think this will help a great deal. _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
