On 11/29/12 1:30 AM, Gordon P. Hemsley wrote:
Based on my reading of the source code, it seems that Gecko treats a resource served as 'application/octet-stream' as an unknown type which is sniffed as if no Content-Type was specified.
Only for media (<video> and <audio>) loads. Note that the HTML spec requires this behavior for those.
Are there security implications with doing this?
In general, yes. Doing this for document loads would be a security nightmare, for example.
-Boris
