Re: security impact of dropping charset default from Henrik Nordström on 2008-02-05 (ietf-http-wg@w3.org from January to March 2008)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Tue, 05 Feb 2008 16:03:55 +0100
To: Yves Lafon <ylafon@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>, Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1202223835.17924.104.camel@hlaptop>

tor 2008-01-24 klockan 11:30 -0500 skrev Yves Lafon:

> It would be a nice addition to describe the issue in general, not only for 
> HTML content, when UA are into the "content sniffing" business. It fits 
> well in the security section of HTTP.
> 
> The specific case of HTML needs also to be explained, but has its place in 
> a document reserved for browser implementors. I am pretty sure there is 
> already one that can be extended that way.

Adding a note in security considerations mentioning why servers explicit
intentions on content-type and/or charset or encoding MUST NOT be
secondguessed by sniffing sounds like a good idea to me.

Regards
Henrik

Received on Tuesday, 5 February 2008 15:06:13 UTC