On Tue, Dec 24, 2002 at 02:12:41PM +0000, Matthew Toseland wrote: > On Mon, Dec 23, 2002 at 11:48:47PM -0500, Andrew Rodland wrote: > > On Monday 23 December 2002 10:43 pm, Matthew Toseland wrote: > > > Maybe we can just block link type=* ? > > > > > I get a feeling that that won't work. > > I'm betting that a too-large contingent of browsers will either > > 1) reject the stylesheet outright if there isn't a type= in the link tag (I > > think maybe they're even supposed to do that), > > or 2) treat the stylesheet as CSS regardless of both the type= and the > > mimetype (only IE comes to mind here, though -- although on first check, > > Konqy seems to do it as well -- at least for local docs. Will verify online > > soon.) > Hmm. Well in that case... we would have to either disallow external > stylesheets, or have the anonymity filter check the MIME type of the > stylesheet (by fetching its headers... is it the last found or the first > found MIME type that is respected? I.E. would we have to fetch the whole > file, or could we get away with the first thing on the chain that > specifies a MIME type?), to make sure it matches that specified in the > tag... Can anyone think of a simple solution short of disabling external > stylesheets? If nobody comes up with a better solution, we're going to have to disable link rel=stylesheet, link type=*, and link charset=*... we may as well just disable the LINK tag. One consequence of this is banning external stylesheets. Anyone got a better idea?
-- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021230/e7214c2f/attachment.pgp>
