Pattern for `application/vnd.ms-fontobject` prone to false-positives

[silverwind]

What is the issue with the MIME Sniffing Standard?

https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern specifies that application/vnd.ms-fontobject is detectable like this:

34 bytes followed by the string "LP", the Embedded OpenType signature.

This is very prune to false-positives. If possible, define a more precise pattern or remove this inprecise pattern from the standard.

[GPHemsley]

I think that's fair; the bytemask algorithm is very heavy-handed.

It should be noted, however, that the spec explicitly scopes this pattern to situations when sniffing for fonts explicitly. The "font type pattern matching algorithm" is only ever used by "rules for sniffing fonts specifically", which is an algorithm hook that was designed by things like CSS's @font-face but is not to my knowledge used by any standard.

It looks like Go is including the font patterns when sniffing in a browsing context, which is in contradiction to the spec:
https://github.com/golang/go/blob/7251c9e0f00a6d7d37bb441f3e823c160131e9b5/src/net/http/sniff.go#L66-L195

[silverwind]

Also to note is that application/vnd.ms-fontobject is the EOT font format, which according to https://caniuse.com/eot was only ever supported in Internet Explorer, which of today represents only 0.43% of global user agents. Given that only a single implementation exists in a dread browser, removing it from the standard could be considered.

It looks like Go is including the font patterns when sniffing in a browsing context, which is in contradiction to the spec

It's implemented as part of general-purpose API http.DetectContentType(bytes) which is used to determine a mime type for HTTP usage given byte stream, so definitely not restricted to fonts only.

[GPHemsley]

See also:

• Define "context" #97