[freenet-dev] Firefox 2, RSS, content filter

Florent Daignière (NextGen$) nextgens at freenetproject.org
Sat Dec 2 10:52:47 UTC 2006 

* toad <toad at amphibian.dyndns.org> [2006-12-02 03:07:25]:

> On Thu, Nov 30, 2006 at 10:13:17PM +0000, toad wrote:
> > Firefox 2.0 includes an "RSS feed sniffer". What this means is that if a
> > file looks like RSS, regardless of its content type (tests show this
> > happening with text/plain and image/jpeg, but not text/html), it will be
> > treated as RSS and either displayed (previewed?) internally or passed to
> > a third party RSS reader app, including all inline images (potentially
> > web bugs).
> 
> It turns out that XML does not tolerate ANY non-tag characters before
> the first tag, and Firefox transparently falls back to the original MIME
> type if parsing the RSS fails.

Is that the current behaviour or the one after your patch got merged
into their trunk and released ?

> The consequences of this:
> - If we check the headers of image/png, image/jpeg etc, we can be 100%
>   sure that anything passed through will NOT be recognized as RSS.
> - That leaves text/plain. If we can be sure that a file does not start
>   with "<", we can safely pass it through. If a file does start with
>   "<", then we can:
>   - Convert it to UTF16. We need to know what the charset is to start
>     with to do this, but it should be safe for the time being (Firefox's
>     RSS detection only works with US-ASCII based charsets).
>   - Add an invisible space. Again we need to know the charset, which we
>     often won't. But this is safer than the first option.
>   - Add a visible space or newline. This will always work, and will
>     always be safe, but it *modifies the content*.
>   
>   Which is best?

I would vote for "add a few newlines" as we use to mangle the content anyway
and that won't prevent people from using cut&paste.

-- 
NextGen$. 
"On peut obéïr aux lois en souhaitant qu'elles changent, comme on sert à la guerre en souhaitant la paix."
Merleau Ponty - L'éloge de la philosophie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://emu.freenetproject.org/pipermail/devl/attachments/20061202/c15b3a5b/attachment.pgp

More information about the Devl mailing list