Re: NEW ISSUE: content sniffing

On Fri, 3 Apr 2009, Adrien de Croy wrote:
> 
> So why should HTTP validate that the next level identifier 
> (Content-Type) is correct for the entity body?

Because there is a practical difference between the Ethernet/IP and the 
IP/TCP boundaries, and the HTTP/Content boundary. In the latter case, 
there are millions if not billions of cases where authors who have never 
even heard of HTTP are misconfiguring their servers, leaving user software 
in the unfortunate position of having to balance the satisfaction of their 
users (which would require some heuristic processing of the claimed type) 
and compliance with the specifications.

Generally, money will win in this kind of balance.

In the Ethernet/IP and the IP/TCP cases, the software is written by people 
who have at least heard of the relevant specifications, and may even have 
read them. There are also FAR fewer implementations of those levels of the 
stack than there are misconfigured installations of HTTP servers.


> There are zillions of content types.  Why should HTTP care about them?  
> It's an impossible task.

We're not saying HTTP should care about them. We're saying that one of 
these two options should be picked:

Either:

a) HTTP should not have any requirements for how to process Content-Type 
headers, and should just leave Content-Type to another spec, or:

b) HTTP should include the proposed limited Content-Sniffing algorithm, 
which would allow us to get software tools to converge on a single set of 
heuristics and thus reduce the security risk.

Note that we are _not_ asking for a uniform way of detecting all content 
types. In the vast majority of those "zillions" of cases, the algorithm 
Adam's I-D specifies will require UAs to honour the type.


> Now in a browser there is a next-level processor above HTTP.

This is not in any way limited to browsers. It applies to any tool that 
uses HTTP for user-visible content processing.


> It's the thing that actually gets the resource.  It's free to do 
> whatever it likes with that content.

No, HTTP says of the Content-Type header "its value indicates what 
additional content codings have been applied to the entity-body, and thus 
what decoding mechanisms must be applied in order to obtain the media-type 
referenced by the Content-Type header field".

If this is intended to allow user agents to ignore the Content-Type 
header, or apply heuristics, then a clearer statement of this would be an 
acceptable solution (proposal "a" above).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 3 April 2009 05:37:10 UTC