On 2001-04-03 17:52:10 +0200, Jesús López de Aguileta wanted to
write:

> -----8<----8<---
> Content-Type: application/x-shockwave-flash
> name="hello.exe"
> Content-Transfer-Encoding: base64
> Content-ID: <KR>
>
> [Here encoded executable]
>
> ---8<----8<---

> IE again ask for "open this file" instead of "open this program".
> And the different it´s not only in the type of the question. The
> Authenticode window don´t popup if you click the OK button.

Well, basically the behaviour looks correct to me. Why shouldn't a
shockwave flash end in .exe? After all, there's a reason why we
have Content-Type values....

However, there's one thing I don't understand - if Windows
absolutely has to rely on file name extensions to make some of the
security-relevant decisions, why doesn't the browser force the file
name to match the content-type header when storing the file?

Why don't you just automatically rename an attachment like the one
given above to hello.exe.swf upon saving or passing to a viewer,
thereby tagging it with correct type information, and avoiding the
problems? Just ignoring the Content-Type field certainly would't be
the right thing.

(Although it's something Microsoft MIME implementations are infamous
for.)

BTW, what I'm talking about here is basically just the same thing as
the nametemplate field in mailcap entries, as defined in RFC 1524,
from September 1993.

-- 
Thomas Roessler			    <roesslerdoes-not-exist.org>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]