W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Content Sniffing impact on HTTPbis - #155

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Jun 2009 22:31:14 -0700
Message-ID: <7789133a0906122231s7793efb3l8e929d4154b3d6f8@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: David Morris <dwm@xpasc.com>, ietf-http-wg@w3.org
On Fri, Jun 12, 2009 at 7:57 PM, Adrien de Croy<adrien@qbik.com> wrote:
> Adam Barth wrote:
>> For better or worse, we can't use file extensions as part of the
>> content sniffing algorithm because it's insecure.  In many attack
>> scenarios, the attacker chooses the file extension.
>
> I presume therefore you can't use the content-type or file content either,
> since these are also potentially provided by an attacker?

The content sniffing algorithm is a careful balancing act of
compatibility and security concerns.  For an in-depth discussion of
the security rationale behind the current algorithm, please see:
http://www.adambarth.com/papers/2009/barth-caballero-song.pdf

> I'm not sure what a Windows client that wants to launch an external
> application will do if it can't use the file extension, unless there's some
> database in Windows that maps to executables on some index other than file
> extension?

Thankfully this algorithm is not intended for use by a Windows client
in determining which external application to launch.

> How does Chrome handle this?

Chrome determines which external application to launch by the file
extension, not by the media type.  However, that's somewhat irrelevant
to this discussion.

Adam
Received on Saturday, 13 June 2009 05:32:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:03 GMT