[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <FFFA7A17-F388-11D8-9438-000393754328@base-industries.net>
From: sec at base-industries.net (fukami)
Subject: Safari/WebCore Content Sniffing
Hi!
Not 100% sure if this is a topic for fd so far.
So, please, put your flamethrower aside if it's not.
A couple of days ago I recognized, that Safari (and
other apps using WebCore on MacOS X) do something known
as "content sniffing". That means, if Safari gets a file
with Content-Type "plain/text" it looks into it, and if
the file contains a single(!) HTML- or JavaScript tag,
Safari treats that file as HTML.
There seems to be no way of changing that stupid behavior
in Safari/WebCore, and I was a shocked when I read the
following comment regarding Safari RSS in the upcoming
Tiger release [1] (found in Mark Pilgrims weblog [3],
who seems also concerned):
Also, there is a bit of code way down in WebCore
that sniffs the incoming page and, when it detects
the start of an XML document that contains RSS or
Atom, it auto-corrects the MIME type to
application/xml+rss or application/xml+atom.
The W3C page "Internet Media Type registration, consistency
of use" [2] reads:
An example of incorrect and dangerous behavior is a
user-agent that reads some part of the body of a
response and decides to treat it as HTML based on its
containing a <!DOCTYPE declaration or <title> tag, when
it was served as text/plain or some other non-HTML type.
All other browser I tested so far have the right behavior
and treat plain text files as plain text files.
fukami
[1] http://inessential.com/?comments=1&postid=2885
[2] http://www.w3.org/2001/tag/2002/0129-mime#consistency
[3] http://diveintomark.org/archives/2004/08/13/safari-content-sniffing
--
A Discordian Shall Always use the Official Discordian Document
Numbering System.
Powered by blists - more mailing lists