- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 23 Jan 2008 20:38:18 +0100
- To: "Roy T. Fielding" <fielding@gbiv.com>
- CC: David Morris <dwm@xpasc.com>, HTTP Working Group <ietf-http-wg@w3.org>
Roy T. Fielding wrote: > Because the only known way to avoid the security holes in existing > browsers that sniff UTF-7 is to add a charset parameter even when > the exact charset is not known to the server. That is specific to > HTTP and is a known problem due to browser's ignoring the existing > requirements of HTTP that this thread intends to remove. Hm. 1) MIME says: default for text/* is US-ASCII. 2) RFC2616 says: default for text/* is ISO-8859. 3) Browsers do content sniffing, thus they ignore both 1) and 2). So if we remove 2), how does this change the situation WRT sniffing? I'm not totally opposed to mentioning this, but I'd really like to understand how the intended change changes the situation... BR, Julian
Received on Wednesday, 23 January 2008 19:38:38 UTC