Trusted vs Unstrusted MIME types
mcr at xdsinc.net
Sun Jul 8 19:43:33 PDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Thomas" == Thomas Leonard <talex5 at gmail.com> writes:
Thomas> However, putting it in the MIME database is quite risky. For
Thomas> example, say I'm writing a python code visualiser. I want to
Thomas> be able to click on a python file in my browser to view its
Thomas> structure, so I supply my program with an MIME XML file
Thomas> saying "Python files are safe".
It must say:
"python files are safe for viewing"
"python files are safe for editing"
You have to have the verb there.
Fundamentally, it would be good to identify things as being passive
("data") or active ("programs"). There are many formats which pretend
to be data, but are in fact programs. This include MS-Word files (in
all modes), but also latex files when "formatted", but not when "edited"
It would also be useful if all applications could be told in a desktop
standard way, that some piece of data is untrustworthy, as even things
like emacs have things like "Local variables" which can be used to
Thomas> What would the warning say?
Thomas> "Opening files of this type might or might not be
Thomas> dangerous. It depends on which application you open them
Thomas> with, but I don't have enough information to tell you
Thomas> whether yours is OK. Do you want to continue?"
Alas, I don't know that this is meaningful to naive users.
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the xdg