> 1.www.google.com app don't filter the CRLF This is not strictly required; there are other scenarios where this vulnerability is exploitable.
> 2.IE support mhtml protocol handler to render the mhtml file format, > and this is the why mhtml: is designed The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even "nosniff"). /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/