W3C home > Mailing lists > Public > public-html@w3.org > January 2008

Re: ISSUE-28 (http-mime-override): Content type rules in HTML 5 overlaps with the HTTP specification? [HTML Principles/Requirements]

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 25 Jan 2008 12:48:33 -0800
Message-Id: <95C243C6-6F4E-4AB8-9E0F-EE24CEFFF909@gbiv.com>
Cc: "public-html@w3.org" <public-html@w3.org>
To: Boris Zbarsky <bzbarsky@MIT.EDU>

On Jan 25, 2008, at 8:45 AM, Boris Zbarsky wrote:
> Oh, one more note.  Gecko's sniffing behavior actually had to be  
> changed recently.  Unfortunately, the more recent Apache installs  
> changed from ISO-8859-1 to UTF-8 as the default encoding, without  
> changing the default content type behavior.

No, they haven't.  Where are you getting this stuff?  Try a clean  
installation
of any Apache version with the distributed configuration files  
(Apache will
not wipe out old configurations on install).  The only thing we define
utf-8 for is directory listings of file names, when known to be utf-8,
and our on-line manuals (all utf-8).

The DefaultType still exists on trunk, though it can be set to

   DefaultType none

Also, don't forget that the only reason Apache has the AddDefaultCharset
feature (off by default) is because browser sniffing of generated  
content
containing UTF-7 is a known security hole and adding a charset is the
only known workaround short of byte-scanning every message.  Every
time we try to remove it a bunch of ego-chasers submit XSS reports that
we have to work around.  If you start sniffing content with a charset,
then you had better remove support for the charsets that are only used
for XSS attacks.

....Roy
Received on Friday, 25 January 2008 20:48:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:12 GMT