W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: security impact of dropping charset default

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 23 Jan 2008 20:38:18 +0100
Message-ID: <479797AA.8080808@gmx.de>
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: David Morris <dwm@xpasc.com>, HTTP Working Group <ietf-http-wg@w3.org>

Roy T. Fielding wrote:
> Because the only known way to avoid the security holes in existing
> browsers that sniff UTF-7 is to add a charset parameter even when
> the exact charset is not known to the server.  That is specific to
> HTTP and is a known problem due to browser's ignoring the existing
> requirements of HTTP that this thread intends to remove.

Hm.

1) MIME says: default for text/* is US-ASCII.
2) RFC2616 says: default for text/* is ISO-8859.
3) Browsers do content sniffing, thus they ignore both 1) and 2).

So if we remove 2), how does this change the situation WRT sniffing?

I'm not totally opposed to mentioning this, but I'd really like to 
understand how the intended change changes the situation...

BR, Julian
Received on Wednesday, 23 January 2008 19:38:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT