W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

TAG requests addition to section 3.2.1 of Part 3

From: Henry S. Thompson <ht@inf.ed.ac.uk>
Date: Fri, 18 Dec 2009 19:19:43 +0000
To: ietf-http-wg@w3.org
Message-ID: <f5bskb8ytrk.fsf@hildegard.inf.ed.ac.uk>
Hash: SHA1

During its telcon of 2009-12-17 [1], the TAG agreed to request that
the following paragraphs be added at the end of section 3.2.1 of Part
3 of HTTP bis [2]:

  If the Content-Type header field _is_ present, a receipient which
  interprets the underlying data in a way inconsistent with the
  specified media type risks drawing incorrect conclusions.

  In practice, however, currently-deployed servers sometime provide a
  Content-Type header which does not correctly identify the content
  sent, with the result that some classes of recipients have adopted a
  policy of examining the content and overriding the specified type.

  Such 'sniffing' SHOULD NOT be done unless there is evidence that the
  specified media type is in error (for example, because it is
  'text/plain' but there are bytes in the data which are not legal for
  the specified or defaulted charset).  In any case recipients SHOULD
  NOT override the specified type if the change would significantly
  increase the security exposure ('privilege escalation').

  Deploying any heuristic for detecting mistaken Content-Types risks
  overriding user intentions and misrepresenting data---accordingly
  recipients SHOULD provide for users to disable sniffing in general
  and/or in particular cases.

Thank you,

ht, by and on behalf of the TAG

[1] http://tools.ietf.org/html/draft-ietf-httpbis-p3-payload-08#section-3.2.1
[2] http://www.w3.org/2001/tag/2009/12/17-minutes.html#item05
- -- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
                         Half-time member of W3C Team
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
[mail really from me _always_ has this .sig -- mail without it is forged spam]
Version: GnuPG v1.2.6 (GNU/Linux)

Received on Friday, 18 December 2009 19:20:12 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:37 UTC