Full Disclosure mailing list archives
Safari/WebCore Content Sniffing
From: fukami <sec () base-industries net>
Date: Sat, 21 Aug 2004 17:44:34 +0200
Hi! Not 100% sure if this is a topic for fd so far. So, please, put your flamethrower aside if it's not. A couple of days ago I recognized, that Safari (and other apps using WebCore on MacOS X) do something known as "content sniffing". That means, if Safari gets a file with Content-Type "plain/text" it looks into it, and if the file contains a single(!) HTML- or JavaScript tag, Safari treats that file as HTML. There seems to be no way of changing that stupid behavior in Safari/WebCore, and I was a shocked when I read the following comment regarding Safari RSS in the upcoming Tiger release [1] (found in Mark Pilgrims weblog [3], who seems also concerned): Also, there is a bit of code way down in WebCore that sniffs the incoming page and, when it detects the start of an XML document that contains RSS or Atom, it auto-corrects the MIME type to application/xml+rss or application/xml+atom. The W3C page "Internet Media Type registration, consistency of use" [2] reads: An example of incorrect and dangerous behavior is a user-agent that reads some part of the body of a response and decides to treat it as HTML based on its containing a <!DOCTYPE declaration or <title> tag, when it was served as text/plain or some other non-HTML type. All other browser I tested so far have the right behavior and treat plain text files as plain text files. fukami [1] http://inessential.com/?comments=1&postid=2885 [2] http://www.w3.org/2001/tag/2002/0129-mime#consistency [3] http://diveintomark.org/archives/2004/08/13/safari-content-sniffing -- A Discordian Shall Always use the Official Discordian Document Numbering System. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Safari/WebCore Content Sniffing fukami (Aug 21)
- Re: Safari/WebCore Content Sniffing Marcel Krause (Aug 22)
- Re: Safari/WebCore Content Sniffing Nicob (Aug 23)
- Re: Safari/WebCore Content Sniffing Jesse Ruderman (Aug 23)