W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: [apps-discuss] informal Last Call on draft-reschke-http-status-308-02

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 14 Jan 2012 18:49:30 +0100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, IETF Apps Discuss <apps-discuss@ietf.org>
Message-ID: <r6e3h7tjp3q1fup4qbkugskociimsvoucs@hive.bjoern.hoehrmann.de>
* Julian Reschke wrote:
>> keep Internet Explorer 6 around? It should be possible to make an ex-
>> ample that does not redirect to where you think it would, but I would
>> have to set up a virtual machine for testing and there kinda would be no
>> point if you don't have the right browser to try it.
>
>Could you elaborate about what this has to do with IE6?

Without explicit declarations browsers will auto-detect an encoding and
in case of Internet Explorer 6 that means that some US-ASCII documents
without encoding declarations are treated as UTF-7 encoded documents, so
if you try to redirect to something like /Bj+APY-rn/ IE might end up on
/Björn/ even though "Bj+APY-rn" is "all US-ASCII". That problem was not
specific to Internet Explorer 6, but it's the cheapest target. Avoiding
such misdetection is important for security reasons, so responses with-
out encoding declarations are likely to be or to become security risks.
It's like seeing `"SELECT * FROM table WHERE column = '$user_input';"`
in a PHP tutorial.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 14 January 2012 17:50:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:52 GMT