W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

Re: Microsoft's "I mean it" content-type parameter

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Thu, 03 Jul 2008 23:41:00 -0500
Message-ID: <486DA9DC.8080100@rowe-clan.net>
To: Justin James <j_james@mindspring.com>
CC: 'Karl Dubost' <karl@w3.org>, 'Daniel Stenberg' <daniel@haxx.se>, 'HTTP Working Group' <ietf-http-wg@w3.org>, public-html@w3.org

Justin James wrote:
> It is quite clear that you are ignoring the point here. The point is *not* what the spec says. As you point out, there is a serious disconnect between reality and the spec. What you are essentially saying is, "if everyone just followed the spec, everything would be fine." Which is true. But it is also not what happened. Which is the point.

No, I'm observing that a very small percentage of sites would be instantly
broken by such a draconian "course correction" by browser authors.

And a much larger number of vulnerable sites would be "resolved" by such
a correction (in respect to UTF-7 detection particularly, but many other
forms of sniffing in general).

Rather than persisting FUD, I'd challenge you to point out only one
significant site, and a relatively minor site, affected by such a change.
Folks who insist that sniffing is "necessary" really aught to back up the
assertion with hard data, or close the significant vulnerabilities that
persist in the ecosystem.

As mentioned in a previous note, sniffing served a noble purpose for a safer
environment, one that simply doesn't exist.
Received on Friday, 4 July 2008 04:41:47 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:17 UTC