- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 23 Jan 2008 10:34:53 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: David Morris <dwm@xpasc.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Jan 23, 2008, at 9:17 AM, Julian Reschke wrote: > David Morris wrote: >> It seems to me that if there is a known security exposure for >> applications >> built on HTTP, then the httpbis document should at the minimum >> note the >> issue and provide a reference to the details. Seems like appropriate >> content for the security section. > > My understanding was that that security risk is not specific to > content transported over HTTP at all -- so I'd rather not talk > about it in *this* document. Because the only known way to avoid the security holes in existing browsers that sniff UTF-7 is to add a charset parameter even when the exact charset is not known to the server. That is specific to HTTP and is a known problem due to browser's ignoring the existing requirements of HTTP that this thread intends to remove. ....Roy
Received on Wednesday, 23 January 2008 18:35:02 UTC