On 10/16/09 8:21 PM, Ben Laurie wrote:
The point is that if I think I'm sourcing something safe but it can be overridden by the MIME type, then I have a problem.
Perhaps we need an attribute on <object> that says to only render the data if the server provided type and @type match? That way you can address your use case by setting that attribute and we don't enable attacks on random servers by allowing @type to override the server-provided type?
-Boris