W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: [apps-discuss] informal Last Call on draft-reschke-http-status-308-02

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 14 Jan 2012 19:17:20 +0100
Message-ID: <4F11C6B0.8090506@gmx.de>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>, IETF Apps Discuss <apps-discuss@ietf.org>
On 2012-01-14 18:49, Bjoern Hoehrmann wrote:
> * Julian Reschke wrote:
>>> keep Internet Explorer 6 around? It should be possible to make an ex-
>>> ample that does not redirect to where you think it would, but I would
>>> have to set up a virtual machine for testing and there kinda would be no
>>> point if you don't have the right browser to try it.
>>
>> Could you elaborate about what this has to do with IE6?
>
> Without explicit declarations browsers will auto-detect an encoding and
> in case of Internet Explorer 6 that means that some US-ASCII documents
> without encoding declarations are treated as UTF-7 encoded documents, so
> if you try to redirect to something like /Bj+APY-rn/ IE might end up on
> /Björn/ even though "Bj+APY-rn" is "all US-ASCII". That problem was not
> specific to Internet Explorer 6, but it's the cheapest target. Avoiding
> such misdetection is important for security reasons, so responses with-
> out encoding declarations are likely to be or to become security risks.
> It's like seeing `"SELECT * FROM table WHERE column = '$user_input';"`
> in a PHP tutorial.

Ack. Thanks. "charset=" added.
Received on Saturday, 14 January 2012 18:18:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:52 GMT