W3C home > Mailing lists > Public > www-tag@w3.org > December 2009

Re: Sniffing and HTTP-bis (ACTION-309)

From: Henry S. Thompson <ht@inf.ed.ac.uk>
Date: Wed, 02 Dec 2009 15:17:24 +0000
To: Julian Reschke <julian.reschke@gmx.de>
Cc: www-tag@w3.org
Message-ID: <f5bws152ynv.fsf@hildegard.inf.ed.ac.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julian Reschke writes:

> As far as I understand that algorithm, it will sometimes apply
> sniffing to content labeled text/plain, overriding it, for instance,
> as "text/html". Isn't that a significant change of the security
> exposure???

My memory is that at the TAG f2f in September we worked through [1]
carefully and concluded that it worked very hard at and did indeed
succeed in ruling _out_ exactly that kind of privilege escalation, but
I will now go back and take another look.

ht

[1] http://ietfreport.isoc.org/idref/draft-abarth-mime-sniff/
- -- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
                         Half-time member of W3C Team
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
[mail really from me _always_ has this .sig -- mail without it is forged spam]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFLFoUFkjnJixAXWBoRAiuBAJ9wQGVjzuEegPWjVtv918bx/tmAQgCeP0Rn
4ruK4AScuYoweHLVTiB9olQ=
=Wy9f
-----END PGP SIGNATURE-----
Received on Wednesday, 2 December 2009 15:17:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:18 GMT