On Fri, Oct 16, 2009 at 5:56 PM, Ben Laurie <b...@google.com> wrote: > On Fri, Oct 16, 2009 at 5:48 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: >> This is, imo, a much bigger problem than that of people embedding content >> from an untrusted site and getting content X instead of content Y, >> especially because content X can't actually access the page that contains >> it, right? > > Flash can, for example.
If Flash can do bad things, then sourcing Flash from an untrusted site and getting malicious Flash with the expected MIME type doesn't seem like it's any better than getting malicious Quicktime or Java or whatever via a switched MIME type. Is there something I'm missing? Mike