W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: security impact of dropping charset default

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 5 Feb 2008 07:34:35 -0800
Cc: Yves Lafon <ylafon@w3.org>, Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <81B4A745-7224-4949-837A-49EB372DA5D3@mnot.net>
To: Henrik Nordström <henrik@henriknordstrom.net>

Resolved as per:
   http://www3.tools.ietf.org/wg/httpbis/trac/ticket/20#comment:4


On 05/02/2008, at 7:03 AM, Henrik Nordström wrote:

>
> tor 2008-01-24 klockan 11:30 -0500 skrev Yves Lafon:
>
>> It would be a nice addition to describe the issue in general, not  
>> only for
>> HTML content, when UA are into the "content sniffing" business. It  
>> fits
>> well in the security section of HTTP.
>>
>> The specific case of HTML needs also to be explained, but has its  
>> place in
>> a document reserved for browser implementors. I am pretty sure  
>> there is
>> already one that can be extended that way.
>
> Adding a note in security considerations mentioning why servers  
> explicit
> intentions on content-type and/or charset or encoding MUST NOT be
> secondguessed by sniffing sounds like a good idea to me.
>
> Regards
> Henrik


--
Mark Nottingham     http://www.mnot.net/
Received on Tuesday, 5 February 2008 15:35:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT