In article <[EMAIL PROTECTED]>, Nelson B. Bolyard wrote: > Grey Hodge / jesus X wrote: >> >> On 12/27/2002 9:18 PM Nelson B. Bolyard cranked up the brainbox and said: >> > Decisions about whether a file is "safe" for some purpose should be made >> > based on the MIME content type, not the file name or "extension". >> > mozilla should always make the MIME content type easily accessible. >> >> Agreed, to an extent. But one can fake/alter the mimetype. > > Fake/alter? The MIME content type is, by definition, the correct type that > the browser should honor. It is possible for the MIME content type to > differ from Windows association with the file name extension. That is not > a "fake" content type, and in such cases, the corrent standards-compliant > behavior is to obey the MIME content type, not the file name extension. > > Communicator did precisely that. Mozilla could and should!
if communicator does that without limitation, then it's a security risk... > The way to do it (on Windows) is to lookup the MIME content type in the > registry (assuming it's not one that mozilla overrides), find the command > used to open that type, and then run that command, passing the (temp) file > name as the appropriate argument (e.g. as %1). the trouble is that in the standard registry, there are a bunch of MIME types with commands that will execute whatever they are given. so you simply have a file called virus.exe, give it one of those MIME types, and then mozilla would run the virus... that's not acceptable - it has to be safe for clueless users to use. [snip] > They don't need to be visible if they have no role in deciding the > disposition of the file. Standards-compliant browser behavior is to > handle the file per its MIME content type. So, the thing the user needs > to see is the MIME content type. that is also something of an issue - most Windows users have no clue about MIME types, but they do understand extensions. if you want your average user to make a judgement over what's safe and what isn't, you need to give them information they understand... -- michael
