W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

Re: Microsoft's "I mean it" content-type parameter

From: Robert Collins <robertc@robertcollins.net>
Date: Wed, 02 Jul 2008 21:26:03 +0000
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "public-html@w3.org" <public-html@w3.org>
Message-Id: <1215033933.28277.24.camel@lifeless-64>
On Wed, 2008-07-02 at 22:52 +0200, Julian Reschke wrote:
> Hi,
> (crossposted to both the HTTPbis WG's and HTML5 WG's mailing lists...)
> looking at 
> <http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx>:
> "MIME-Handling: Sniffing Opt-Out
> Next, we’ve provided web-applications with the ability to opt-out of 
> MIME-sniffing. Sending the new authoritative=true attribute on the 
> Content-Type HTTP response header prevents Internet Explorer from 
> MIME-sniffing a response away from the declared content-type."
> Let's ignore the issue of inventing a new media type parameter for all 
> new media types for a moment...
> It's good that MS recognizes that content-type-sniffing may be bad and 
> that they are doing something about it. But is this really the right 
> approach?

If they assume that fixing all the bust clients they have been shipping
for years is infeasible, then I think they would have concluded its the
right way.

I think its bogus - it requires every web site author in existence to
change their site to fix a defect in MSIE. Thats got to be harder to
deploy than just a hotfix to MSIE to not sniff at all. 'Sorry, bad idea,
fixed in hotfix #12345.'

GPG key available at: <http://www.robertcollins.net/keys.txt>.

Received on Wednesday, 2 July 2008 22:34:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:36 UTC