Spun off from #70 (comment)

Doctype should be <!doctype html>

OK, I worry a bit that we are relying too much on the MIME type if we don't have a <!doctype mapml> or root mapml element, but maybe that is misplaced concern, as I don't fully understand what these <!doctype html> and root html are used for.

The MIME type is appropriate for switching processing generally. The doctype is used for switching between quirks mode, limited-quirks and no-quirks, but shouldn't be used as a mechanism for new switches. With a new MIME type, the HTML parser can be configured to force no-quirks and thus make the doctype optional. This is already done for <iframe srcdoc="...">.

For the root element, what would it do? It mostly doesn't do anything in HTML, and MapML could similarly not do anything with it.

(or maybe allow omitting it for new MIME type)

Yes. Again I'm a little fuzzy about the implication of not having a doctype and relying solely on the MIME type.

There are two cases:

• MapML document loaded from <layer src>
• MapML document loaded in a browsing context (top-level or in <iframe src> etc)

In the first case, you could ignore even the MIME type, but that is not recommended because ignoring MIME types have a history of security problems and the trend is to enforce MIME types where possible. You could allow both text/html and text/mapml, but being strict and only successfully loading text/mapml seems better for security:

• it's not possible to use <layer src> pointing to victim HTML page and have it leak information
• if MapML documents are loaded with scripting disabled or other sandboxing restrictions, allowing text/html in <layer> can allow attackers to trick users into loading the MapML document in a top-level browsing context (e.g. by emailing a link or through ads) and circumvent those restrictions.

In the second case, you'd need something if there is to be a processing difference between showing an HTML document and showing a MapML document (which appears to be desired). The MIME type is the right tool here I think.

When loading from local file system, it's more common to have file extensions be the equivalent source of truth as MIME types do on the web. But this might need cooperation from the OS for some OSes. I don't know enough about how this works, but having HTML and MapML needing different processing and not being able to tell them apart from sniffing seems like it can be a problem. It might even be a problem on the web.

That said, if we want a sniffable signature for MapML, those are most effective if the signature is required to be right at the start and be a fixed amount of bytes (like XML's "<?xml "). Those bytes could be the characters "<!doctype mapml>" (ascii case-insensitive). But again this would be sniffing to verify the format and happen before the HTML parser consumes those characters.