W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: security impact of dropping charset default

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 23 Jan 2008 10:34:53 -0800
Message-Id: <265DE617-3A5B-4C64-8ACD-387CAC981E7F@gbiv.com>
Cc: David Morris <dwm@xpasc.com>, HTTP Working Group <ietf-http-wg@w3.org>
To: Julian Reschke <julian.reschke@gmx.de>

On Jan 23, 2008, at 9:17 AM, Julian Reschke wrote:
> David Morris wrote:
>> It seems to me that if there is a known security exposure for  
>> applications
>> built on HTTP, then the httpbis document should at the minimum  
>> note the
>> issue and provide a reference to the details. Seems like appropriate
>> content for the security section.
> My understanding was that that security risk is not specific to  
> content transported over HTTP at all -- so I'd rather not talk  
> about it in *this* document.

Because the only known way to avoid the security holes in existing
browsers that sniff UTF-7 is to add a charset parameter even when
the exact charset is not known to the server.  That is specific to
HTTP and is a known problem due to browser's ignoring the existing
requirements of HTTP that this thread intends to remove.

Received on Wednesday, 23 January 2008 18:35:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:44 UTC