RE: webmail vulnerabilities: a new pragma token? from Eric D. Williams on 2000-01-21 (ietf-http-wg@w3.org from January to March 2000)

From: Eric D. Williams <eric@infobro.com>
Date: Thu, 20 Jan 2000 20:45:25 -0500
To: 'Josh Cohen' <joshco@exchange.microsoft.com>
Cc: "'http-wg@hplb.hpl.hp.com'" <http-wg@hplb.hpl.hp.com>
Message-ID: <01BF6387.877352C0.eric@infobro.com>

On Thursday, January 20, 2000 3:54 PM, Josh Cohen 
[SMTP:joshco@Exchange.Microsoft.com] wrote:
> > -----Original Message-----
> > From: Eric D. Williams [mailto:eric@infobro.com]
> > Sent: Thursday, January 20, 2000 12:16 PM
> > To: 'Larry Masinter'
> > Cc: 'http-wg@hplb.hpl.hp.com'
> > Subject: RE: webmail vulnerabilities: a new pragma token?
> > > Larry said:
> > >
> > > At least it would have the right extension behavior, namely
> > > that unaware recipients might save the content to disk but would
> > > be less likely to open it.
> >
> > Eric said:
> >
> > I don't know about that; if its not safe to a later 'aware'
> > recipient is probable and good, but older clients would not be able to
> > discriminate.  That could set up an interesting situation where browsers 
are updated or
> > trust-levels are upgraded; Excellent though.
> >
> Maybe Im misreading your words, but I think you missed
> part of larry's point.  By using a new MIME type,
> older browsers would implicitly discriminate.
> Today, a browser that gets an unknown mime time, which this
> new one would be, it will prompt the user to save it to disk
> instead of showing it.

Yes, that is true, my concern was/is with just that point.  After the item is 
saved many users attempt to open that 'troublesome' downloaded page.  The only 
thing I am saying is the content after saving to disk can still contain 
'malicious' scripting code and the browser could not then successfully 
discriminate unless the file name was some how also unlinked from the types 
'compatible' with the browser (read viewer) and parsed without scripting.

I say yes, Josh, you are correct that part was not clear.  Thanks.

> This would effectively prevent it from being displayed
> or executed without user consent.
>

Yes, user consent is a primary factor here (always), as well as _expected 
behavior_.  One should consider what a user would do concerning unknown types 
that are nominally displayed in their client, it could get confusing to say the 
least. A user may just map an association back to the browser at worst 
(education of the user is also a key issue) perhaps as you mentioned this is 
not an effective track (http-wg), but I am still not sure.

Eric

> >
> > Eric Williams, Pres.
> > Information Brokers, Inc.    Phone: +1 202.889.4395
> > http://www.infobro.com/        Fax: +1 202.889.4396
> > mailto:eric@infobro.com
> >            For More Info: info@infobro.com
> >

Received on Thursday, 20 January 2000 17:48:48 UTC