W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: security impact of dropping charset default

From: James Graham <jg307@cam.ac.uk>
Date: Wed, 23 Jan 2008 17:35:30 +0000
Message-ID: <47977AE2.7030503@cam.ac.uk>
To: Anne van Kesteren <annevk@opera.com>
CC: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>, ietf-http-wg@w3.org

Anne van Kesteren wrote:
> 
> On Wed, 23 Jan 2008 13:46:00 +0100, Frank Ellermann 
> <nobody@xyzzy.claranet.de> wrote:
>> IMO it's generally a good idea to deprecate UTF-7 and Unicode-1-1,
>> and as far as I know one of the authors (Mark) and other experts
>> (Addison) would also support to deprecate UTF-7.  How about that
>> "general" solution ?
> 
> What does deprecate mean? If support for UTF-7 can't be removed than 
> deprecating it will hardly matter. (I'm not sure whether support can or 
> can not be removed, but I'd expect there to be content to rely on it.) 
> Roy's suggestion of not sniffing for it seems like better advice to 
> implementors than a notion of it being deprecated.
> 
> 
FWIW HTML 5 says "User agents must not support the CESU-8, UTF-7, BOCU-1 and 
SCSU encodings" [1]

It has a similar constraint that authors must not use those encodings. As you 
say, this means nothing if support is required for web-compatibility.

[1] http://www.whatwg.org/specs/web-apps/current-work/#character0

-- 
"Eternity's a terrible thought. I mean, where's it all going to end?"
  -- Tom Stoppard, Rosencrantz and Guildenstern are Dead
Received on Wednesday, 23 January 2008 17:35:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT