On 29/06/09 18:02, Brandon Sterne wrote:
That is clever. Yes, I think you're right that we should enforce a valid MIME type for the external script files. We probably also want to whitelist application/json for sites utilizing JSON feeds.
It does make you think, what other brokennesses can we fix along the way while sites are opting in to this new model? Can we, for example, enforce the correct MIME types for images too, and throw away all that horrible sniffing[0]? How about feeds? ;-)
Gerv [0] http://tools.ietf.org/html/draft-abarth-mime-sniff-00 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
