W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: TAG requests addition to section 3.2.1 of Part 3

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 20 Dec 2009 17:44:16 -0800
Message-ID: <7789133a0912201744kfd08b27qfc21bbf6440f9fa1@mail.gmail.com>
To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
Cc: ietf-http-wg@w3.org
This text looks good to me.  It strikes a balance between discouraging
sniffing and recognizing that some UAs will sniff.  I'd prefer that we
gave more precise advice, but you can't get everything you want in
life.  (Minor grammar nits below.)

On Fri, Dec 18, 2009 at 11:19 AM, Henry S. Thompson <ht@inf.ed.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> During its telcon of 2009-12-17 [1], the TAG agreed to request that
> the following paragraphs be added at the end of section 3.2.1 of Part
> 3 of HTTP bis [2]:
>
>  If the Content-Type header field _is_ present, a receipient which

which -> that

>  interprets the underlying data in a way inconsistent with the
>  specified media type risks drawing incorrect conclusions.
>
>  In practice, however, currently-deployed servers sometime provide a

currently-deployed -> currently deployed

>  Content-Type header which does not correctly identify the content

which -> that

>  sent, with the result that some classes of recipients have adopted a
>  policy of examining the content and overriding the specified type.
>
>  Such 'sniffing' SHOULD NOT be done unless there is evidence that the
>  specified media type is in error (for example, because it is
>  'text/plain' but there are bytes in the data which are not legal for
>  the specified or defaulted charset).  In any case recipients SHOULD
>  NOT override the specified type if the change would significantly
>  increase the security exposure ('privilege escalation').
>
>  Deploying any heuristic for detecting mistaken Content-Types risks
>  overriding user intentions and misrepresenting data---accordingly
>  recipients SHOULD provide for users to disable sniffing in general
>  and/or in particular cases.
>
> Thank you,
>
> ht, by and on behalf of the TAG
>
> [1] http://tools.ietf.org/html/draft-ietf-httpbis-p3-payload-08#section-3.2.1
> [2] http://www.w3.org/2001/tag/2009/12/17-minutes.html#item05
> - --
>       Henry S. Thompson, School of Informatics, University of Edinburgh
>                         Half-time member of W3C Team
>      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
>                Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
>                       URL: http://www.ltg.ed.ac.uk/~ht/
> [mail really from me _always_ has this .sig -- mail without it is forged spam]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFLK9XPkjnJixAXWBoRAudxAJ9YZg70dC0piSh+34ftR5+X4n/y9wCdEHnw
> rWL3bWKkuX4nqIHyKmBQ4wI=
> =sZXk
> -----END PGP SIGNATURE-----
>
>
Received on Monday, 21 December 2009 01:45:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:14 GMT