W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: TAG requests addition to section 3.2.1 of Part 3 [#155]

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 30 Dec 2009 09:53:06 +1100
Cc: ietf-http-wg@w3.org
Message-Id: <622CD6E1-C16C-477B-834C-2BF8A31B830B@mnot.net>
To: Henry S. Thompson <ht@inf.ed.ac.uk>
Henry,

As you may know, the WG has already extensively discussed Content Sniffing, in <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/155>, and we thought we were in a position to consider the issue closed.

The discussions leading up to the current text were voluminous (search the mail archives for messages with a subject including "155" and/or "sniff"), so while we can certainly talk about adding more, I'm reluctant to do so unless we get good review. In particular, has the TAG coordinated this proposal with the HTML5 WG?

Regards,


On 19/12/2009, at 6:19 AM, Henry S. Thompson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> During its telcon of 2009-12-17 [1], the TAG agreed to request that
> the following paragraphs be added at the end of section 3.2.1 of Part
> 3 of HTTP bis [2]:
> 
>  If the Content-Type header field _is_ present, a receipient which
>  interprets the underlying data in a way inconsistent with the
>  specified media type risks drawing incorrect conclusions.
> 
>  In practice, however, currently-deployed servers sometime provide a
>  Content-Type header which does not correctly identify the content
>  sent, with the result that some classes of recipients have adopted a
>  policy of examining the content and overriding the specified type.
> 
>  Such 'sniffing' SHOULD NOT be done unless there is evidence that the
>  specified media type is in error (for example, because it is
>  'text/plain' but there are bytes in the data which are not legal for
>  the specified or defaulted charset).  In any case recipients SHOULD
>  NOT override the specified type if the change would significantly
>  increase the security exposure ('privilege escalation').
> 
>  Deploying any heuristic for detecting mistaken Content-Types risks
>  overriding user intentions and misrepresenting data---accordingly
>  recipients SHOULD provide for users to disable sniffing in general
>  and/or in particular cases.
> 
> Thank you,
> 
> ht, by and on behalf of the TAG
> 
> [1] http://tools.ietf.org/html/draft-ietf-httpbis-p3-payload-08#section-3.2.1
> [2] http://www.w3.org/2001/tag/2009/12/17-minutes.html#item05
> - -- 
>       Henry S. Thompson, School of Informatics, University of Edinburgh
>                         Half-time member of W3C Team
>      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
>                Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
>                       URL: http://www.ltg.ed.ac.uk/~ht/
> [mail really from me _always_ has this .sig -- mail without it is forged spam]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFLK9XPkjnJixAXWBoRAudxAJ9YZg70dC0piSh+34ftR5+X4n/y9wCdEHnw
> rWL3bWKkuX4nqIHyKmBQ4wI=
> =sZXk
> -----END PGP SIGNATURE-----
> 


--
Mark Nottingham     http://www.mnot.net/
Received on Tuesday, 29 December 2009 22:53:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:14 GMT