Trusted vs Unstrusted MIME types
Christopher Aillon
caillon at redhat.com
Sat Jul 7 13:22:19 PDT 2007
Thomas Leonard wrote:
> Both the .desktop file and the MIME information come from the application,
> so that doesn't help you.
You are correct that the desktop file and the MIME information the
application claims to support both come from the application. Good
thing for me that this thread isn't about that. :-)
I'm requesting a list of MIME types known to be potentially unsafe,
which already exists in epiphany's source code. I want each application
that needs to use this to not have to keep track of their own list.
> However, putting it in the MIME database is quite risky. For example, say
> I'm writing a python code visualiser. I want to be able to click on a
> python file in my browser to view its structure, so I supply my program
> with an MIME XML file saying "Python files are safe".
>
> Now, if the user also has IPython installed, clicking on a Python file
> might run it without asking!
You need to understand that security is all about mitigating risks.
When downloading a file which can be executed, we need to make sure we
know of this possibility and act accordingly. That might mean not
caring what programs are "safe" or not and giving the user the option of
the system default text editor (which would be the default) and a list
of other applications which claim to handle the type. Or maybe the
default would be to simply download it. That is irrelevant because the
browser implementors and mail client implementors get to decide this.
The point is that they need to know that certain files might need to be
handled differently.
>> Knowing that the content is potentially dangerous is much more valuable
>> here anyway, because maybe Firefox might simply refuse to open the file
>> via a helper and only download it to disk. Maybe it wants to issue a
>> warning to the user.
>
> What would the warning say?
In the download manager, the download could be a different color, there
could be an icon that would denote its status as potentially dangerous.
Maybe when the user attempts to open from the download manager, it
would pop up a dialog similar to what nautilus does when you try to open
a shell script:
"foo.sh is an executable text file. Do you want to run foo.sh or
display its contents?"
But it doesn't really matter what it would say. You aren't going to be
implementing that part. It is clear that this is needed because
epiphany already implements it. MSIE does something similar.
Mozilla is asking for it for use in Firefox, Thunderbird, etc.
More information about the xdg
mailing list