Browsers ignore tag-terminating byte when sniffing scriptable patterns
GPHemsley opened this issue · comments
Gordon P. Hemsley commented
The way the rules for identifying an unknown MIME type are supposed to work is that only the patterns listed in the table are allowed to be sniffed, including the tag-terminating byte of either space or closing angle bracket. However, both Firefox and Chrome ignore the tag-terminating byte in apparently all instances listed in the table.
This is either a security risk in the browsers, or we should update mimesniff to remove the requirement.
Gordon P. Hemsley commented
Actually, Firefox prompts for download in a number of strange cases where the options should be either text/html
or text/plain
.