RE: webmail vulnerabilities: a new pragma token?

(Please note that the mailing list is really;
the "cuckoo" machine apparently is willing to forward some mail,
but I'm not at all sure that it's running the same mailing list.)

Even if sticking this kind of information in HTTP were appropriate
(which I don't think it is), using "pragma" would be the wrong
way to go about it. The whole notion of "Pragma" as a HTTP header
came from programming languages which used "Pragma" as a way of
sticking in random additional compiler directives because there were
a fixed number of "reserved words" in the language. There's was no
reason to use "Pragma" as an extension mechanism in the first place,
and certainly it shouldn't be continued.

> It would be nice if there were on an HTTP header that, if sent
> to the client, would cause the client to disable javascript,
> vbscript, etc. for that document only.

If you really wanted ot go this way, how about a new MIME type, e.g.,
"message/unsafe;type=http" which would have the semantics of
message/type (message/rfc822 or message/http) with the proviso that
the body is likely to be unsafe content.

At least it would have the right extension behavior, namely
that unaware recipients might save the content to disk but would
be less likely to open it.

Received on Thursday, 20 January 2000 11:21:03 UTC