Two implementation risks to keep in mind:

1) Both jar: and mhtml: (which work or worked in a very similar way)
have caused problems in absence of strict Content-Type matching. In
essence, it is relatively easy for something like a valid
user-supplied text document or an image to be also a valid archive.
Such archives may end up containing "files" that the owner of the
website never intended to host in their origin.

2) Both schemes also have a long history of breaking origin / host
name parsing in various places in the browser and introducing security
bugs.

/mz

Reply via email to