WRARRRRRR!!
Cookie stealing make Cookie Monster MAD!
Security researchers have unpicked a flaw in Google spreadsheets that allows cookie stealing. The cross-site scripting vulnerability enables attackers to use stolen cookies to access any Google service a user has registered, including accessing a victim's Google mail account. Google has now plugged the vulnerability, …
The thing that bothers me about this is the expert's motivation. I really hope he is fully and adequately compensated for doing the right thing. What happens if some other security expert finds himself on the edge of starvation, and there he is with a security hole of high value to some criminal organization?
Actually, MS only guess the content-type if it is not sent by the webserver, or if it is one of 26 "known" types.
http://msdn2.microsoft.com/en-us/library/ms775147.aspx
Why? Well, that's more infinite wisdom from Microsoft, in order to "make it easier for an average Joe to put up a personal website without worrying about mimetype details"
http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx
It's a shame that Gupta doesn't recognise that most websites are put up by professionals*, and that their perhaps well intentioned code is a frigging nightmare at times. "Asking everybody to fix their servers" is precisely what they should do. We expect Microsoft to fix their software, adhere to standards, &c, and they have a right, nay duty, to expect the same in return.
* Insert some reference to professionals using apache and amateurs using IIS here
("infinite wisdom" is a registered trademark of Microsoft Corporation ... well, probably)