Re: Microsoft's "I mean it" content-type parameter

Justin James wrote:
> It is quite clear that you are ignoring the point here. The point is *not* what the spec says. As you point out, there is a serious disconnect between reality and the spec. What you are essentially saying is, "if everyone just followed the spec, everything would be fine." Which is true. But it is also not what happened. Which is the point.

No, I'm observing that a very small percentage of sites would be instantly
broken by such a draconian "course correction" by browser authors.

And a much larger number of vulnerable sites would be "resolved" by such
a correction (in respect to UTF-7 detection particularly, but many other
forms of sniffing in general).

Rather than persisting FUD, I'd challenge you to point out only one
significant site, and a relatively minor site, affected by such a change.
Folks who insist that sniffing is "necessary" really aught to back up the
assertion with hard data, or close the significant vulnerabilities that
persist in the ecosystem.

As mentioned in a previous note, sniffing served a noble purpose for a safer
environment, one that simply doesn't exist.

Received on Friday, 4 July 2008 04:41:47 UTC