On 29 October 2013 04:47, Tim ignored_mailbox@yahoo.com.au wrote:
On Mon, 2013-10-28 at 22:55 +0100, Mateusz Marzantowicz wrote:
I don't know it is a correct design in that case. FF doesn't check file content and only trusts that HTTP headers are set correctly. But it is FF and not Fedora issue anymore.
And that is how they're supposed to work, and how it really should be done, for reasons of sanity. When you ignore headers, and just pass data to browsers to "sort out what do with this yourself," things screw up, right royally.
For one thing, it's why Windows is so vulnerable. Nasty stuff bypasses sensible handling, and is allowed to execute, because that's what Windows does with binary program files (it executes them).
This isn't an argument for using content type rather than autodetection, the content type could be manipulated as part of an attack. What you go on to say about the problem of knowing what you've got:
There are any number of different types of files (function-wise) that are the same file-type (construction-wise), so they need correct identification by what's sending it, as it will be the only thing that would correctly know what it is.
This and the general problem of correctly identifying the type of every data type and version under the sun is the reason to not try and snoop the data type.