conformance languages (issue 278), was: Last Call: <draft-ietf-httpbis-content-disp-06.txt> (Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)) to Proposed Standard from Julian Reschke on 2011-03-01 (ietf-http-wg@w3.org from January to March 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 01 Mar 2011 16:50:42 +0100
To: Barry Leiba <barryleiba@computer.org>
CC: ietf@ietf.org, ietf-http-wg@w3.org
Message-ID: <4D6D15D2.8070704@gmx.de>

Hi Barry,

we're tracking this as 
<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/278>.


On 01.03.2011 00:33, Barry Leiba wrote:
> I'm sorry not to have posted this during WGLC, but I didn't notice it until now:
>
> The document uses the phrase "are advised [to do something]" in two
> places (the penultimate paragraph in Section 4.3, and the beginning of
> Appendix D).  I suggest that we either switch to 2119 language
> ("SHOULD [do something]") or insert a sentence into section 2 that
> explains the normative meaning of "ADVISED" that we intend (as being
> softer than SHOULD).  Even if we want to leave it fluffy, we should
> probably make it clear that we're intentionally leaving it fluffy.[1]
>
> Barry
>
> [1] Apologies to Cullen, in case he has trademarked "fluffy".

Or maybe we should revise RFC 2119 :-).

I agree that this needs tuning; but I'd rather not invent a new keyword 
for that.

The appendix D 
(<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-06.html#rfc.section.D>) 
isn't meant to be normative; thus I believe leaving it the way it is 
ought to be ok.

With respect to 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-06.html#rfc.section.4.3>, 
I believe we really should say "SHOULD" in all the three last items:

    o  Many platforms do not use Internet Media Types ([RFC2046]) to hold
       type information in the file system, but rely on filename
       extensions instead.  Trusting the server-provided file extension
       could introduce a privilege escalation when the saved file is
       later opened (consider ".exe").  Thus, recipients need to ensure
       that a file extension is used that is safe, optimally matching the
       media type of the received payload.

-> SHOULD ensure

    o  Recipients are advised to strip or replace character sequences
       that are known to cause confusion both in user interfaces and in
       filenames, such as control characters and leading and trailing
       whitespace.

-> SHOULD strip or replace

    o  Other aspects recipients need to be aware of are names that have a
       special meaning in the file system or in shell commands, such as
       "." and "..", "~", "|", and also device names.

-> ...and SHOULD and ignore or substitute these names...

...the last one is a bit tricky, as what's special really depends on the 
operating system...

Best regards, Julian

Received on Tuesday, 1 March 2011 15:58:08 UTC