W3C home > Mailing lists > Public > www-tag@w3.org > October 2010

Re: mime-web-info 6.1 feedback

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Wed, 27 Oct 2010 10:44:12 -0400
Message-ID: <4CC83ABC.7080508@arcanedomain.com>
To: Larry Masinter <masinter@adobe.com>
CC: "eric@bisonsystems.net" <eric@bisonsystems.net>, "www-tag@w3.org" <www-tag@w3.org>, Adam Barth <ietf@adambarth.com>
Larry,

I haven't had time to read this revision yet.  Do you feel there's enough 
new that we should spend some time with TAG members at TPAC Monday morning 
to work through the changes?  Since we just did a lot of work in Mountain 
View, the agenda for Monday at TPAC is more open than usual.  Thank you.

Noah

On 10/26/2010 2:44 AM, Larry Masinter wrote:
> Up against the deadline for submitting new versions, I posted
>
> http://tools.ietf.org/html/draft-masinter-mime-web-info-01
>
> without carefully addressing your comment on the “applications that use
> this type” in what had been section 6.1 (in fact, the text in -01 is
> unfortunately incoherent.)
>
> I was thinking about this, and wonder if the issue is really around the
> security considerations for sniffing and privilege escalation…
>
> Content that allows hyperlinks to embedded content
>
> -- which is (or is not) commonly automatically retrieved to display
>
> E.g., html with embedded IMG tags
>
> Content that contains scripting:
>
> where script content can access the internet
>
> -- with or without sandboxing
>
> where script content can access the “local file system”
>
> Content that is not intended to be scriptable
>
> Buggy software can turn a JPEG into scriptable content which accesses the
> local file system, but it’s “buggy”?
>
> Turning text/plain into malicious content might involve attacks on the UTF8
> decoders?
>
> Note that some fonts are scriptable….
>
> Larry
>
> --
>
> http://larry.masinter.net
>
Received on Wednesday, 27 October 2010 14:44:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:28 GMT