On 4/2/06, Jorge Arellano Cid <jcid@dillo.org> wrote:
1.- Keep it as is 2.- Do Content-type sniffing and follow the SPEC. i.e. as stated above, to take the right of ignoring the offending contents. 3.- Do Content-type sniffing and take actions (like mozilla).
I like best the second one. Basically this is, If I get a binary stream as "text/plain" or "text/html", or an image that's not an image, then issue a warning and ignore it (abort). Note: this is a basic security procedure.
This has the advantege of protecting the browser against attacks and following the SPEC. The user is left to decide (for instance to retry with "save link as").
The third option looks more "user friendly" but it goes against the SPEC.
Just to delurk and make a note here. The second one would be spec, but third one is both user friendly and server friendly in limited cases. Take for example VCL and Comic Genesis (which I admin). To prevent inlining of images on outside servers and general bandwith wastage, we've programmed the server to check the Referer: header. CG's a bit stricter than VCL is with broken browsers and proxies that don't send (or worse, strip) a Referer: header, but both check to see if the request for an image is for a page it just served. If the check fails, CG sends out a 403 and shoots out a HTML page saying so. VCL redirects to a HTML page which shows the image itself. In ether case, Mozilla/IE/Konqueror/Safari just say that the image is broken in the non-VCL/CG webpage it pulled. If it was directly requested, VCL pulls the HTML/IMG up. CG 403's. If I remember correctly, Mozilla actually asks for an image MIME type first, and then a */* MIME type as a catchall. -- Kelly "STrRedWolf" Price http://strredwolf.furrynet.com