[rtomayko]

We actually don't care about rate limits with this type of raw request. The limits are in place because people (usually porn sites) hot link js/css/image assets which can lead quickly to an insane number of requests.

If file extensions could be used to determine whether a resource could be used like this, we'd only apply the rate limits to those. Browsers don't care about extensions or event content types though. They'll happily use whatever's at the other end of a URL for <link rel=stylesheet>, <script>, and <img> tags.

As for whitelisting, it's a path we just don't want to go down for raw requests. We do a lot of that for the API and it isn't cheap to maintain.

[Tobu]

Browsers will ignore content-type in many cases (html5 embraced that quirk), but they do have to sniff the bytes to confirm their hunch. You could use `file` to detect images. Or use the content length, maybe by changing hit quotas into bandwidth quotas.

https://code.google.com/p/browsersec/wiki/Part2#Content_hand... http://mimesniff.spec.whatwg.org/

[nicholassmith]

"The limits are in place because people (usually porn sites) hot link js/css/image assets"

I'd like to be surprised by that but I'm not.