michael lefevre wrote: > > In article <[EMAIL PROTECTED]>, Nelson B. Bolyard wrote:
> > Decisions about whether a file is "safe" for some purpose should be made > > based on the MIME content type, not the file name or "extension". > > mozilla should always make the MIME content type easily accessible. > > it would be nice if that was the case, but it's not true in Windows. It certainly can be. Communicator 4.x works precisely that way on Windows. > it depends on the exact operation being performed, but Windows itself and > many Windows apps use only the extension to determine how to handle a > file. If mozilla behaves like that, it is by mozilla's choice. No program needs to behave that way, not even on Windoze. Are you saying that mozilla should behave like other windoze applications, rather than doing what the standard says? > failing to take that into account leads to security issues, and > several based on exactly that flaw have been found in internet explorer > previously. Yes, choosing to honor the file name extension rather than the MIME type does lead to security issues, and certain browsers that have attempted to honor the file name instead of the MIME type have had those issues. Communicator has none of those issues precisely because it ignores file name extensions. > for Windows at least, decisions about whether a file is > "safe" for a purpose must be made based on both the MIME type _and_ the > file name extension, depending on what the purpose is... How do you know what the purpose is? The answer, as defined in the standard, is that the MIME content type tells you, and you honor that. > -- > michael As you can see from the examples below, this is a very commonly misunderstood issue. http://bugzilla.mozilla.org/show_bug.cgi?id=57776#c2 http://bugzilla.mozilla.org/show_bug.cgi?id=63481 http://bugzilla.mozilla.org/show_bug.cgi?id=66157 http://bugzilla.mozilla.org/show_bug.cgi?id=67018 http://bugzilla.mozilla.org/show_bug.cgi?id=68421 <-- quotes the standard http://bugzilla.mozilla.org/show_bug.cgi?id=68799#c3 http://bugzilla.mozilla.org/show_bug.cgi?id=74645 http://bugzilla.mozilla.org/show_bug.cgi?id=85431 http://bugzilla.mozilla.org/show_bug.cgi?id=96287 http://bugzilla.mozilla.org/show_bug.cgi?id=125094 http://bugzilla.mozilla.org/show_bug.cgi?id=151241 http://bugzilla.mozilla.org/show_bug.cgi?id=157079 http://bugzilla.mozilla.org/show_bug.cgi?id=159490 http://bugzilla.mozilla.org/show_bug.cgi?id=160199 http://bugzilla.mozilla.org/show_bug.cgi?id=162443 http://bugzilla.mozilla.org/show_bug.cgi?id=174694 http://bugzilla.mozilla.org/show_bug.cgi?id=185458 http://bugzilla.mozilla.org/show_bug.cgi?id=186508 http://bugzilla.mozilla.org/show_bug.cgi?id=186514 http://bugzilla.mozilla.org/show_bug.cgi?id=187009 -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape