W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: NEW ISSUE: content sniffing

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Tue, 07 Apr 2009 15:11:47 -0700
Message-ID: <49DBCFA3.8000904@KingsMountain.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
 > Ian Hickson <ian@hixie.ch> wrote:
 >
 > We're not saying HTTP should care about them. We're saying that one of
 > these two options should be picked:
 >
 > Either:
 >
 > a) HTTP should not have any requirements for how to process Content-Type
 > headers, and should just leave Content-Type to another spec, or:
 >
 > b) HTTP should include the proposed limited Content-Sniffing algorithm,
 > which would allow us to get software tools to converge on a single set of
 > heuristics and thus reduce the security risk.


upon reflection WRT the above, I would pick option (a) -- i.e. RFC2616 (s7.2.1) 
arguably says "too much" concerning the Content-Type header field. My 
overriding rationale being that there is a (growing) plethora of "protocols" 
layered upon HTTP, and RFC2616 was written back when a "web browser cum user" 
(my poor phrase) was arguably dominant.

Here's the relevant last para of section 7.2.1..

     7.2.1 Type

     <snip/>

     Any HTTP/1.1 message containing an entity-body SHOULD include a
     Content-Type header field defining the media type of that body. If
     and only if the media type is not given by a Content-Type field, the
     recipient MAY attempt to guess the media type via inspection of its
     content and/or the name extension(s) of the URI used to identify the
     resource. If the media type remains unknown, the recipient SHOULD
     treat it as type "application/octet-stream".

Specifically, I'm thinking that the last paragraph really should read
something more like..

     Any HTTP/1.1 message containing an entity-body SHOULD include a
     Content-Type header field defining the media type of that body.
     Processing of the entity-body SHOULD be based on the Content-Type
     header field value and MAY be based as well on other header field
     values.  Definition of such further processing is out-of-scope of
     this specification. If the media type is not given by a
     Content-Type header field the recipient's behavior is not defined
     by this specification.

..though I'm not very sure about the last sentence (wrt absence of
Content-Type header field).

Might this -- i.e. the last para of RFC2616 s7.2.1 presently saying "too much" 
-- be viewed as a "bug" in RFC2616?


Overall this thread of course begs the question of where/how to publish 
draft-abarth-mime-sniff and/or other specs defining behavior(s) of (certain 
classes of) HTTP-based apps and their implementations. E.g. how do we signal to 
browser vendors et al the set of HTTP-oriented specs (for example) they ought 
to adhere to (this question of course applies to the specs of a wide array of 
protocols and formats).

thanks,

=JeffH
Received on Tuesday, 7 April 2009 22:13:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:02 GMT